Cyber Resilience

CVE-2026-27476

CriticalPublic PoCRCE

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0263 83.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27476 is a critical-severity OS Command Injection (CWE-78) vulnerability in Packetstorm (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27476 is a command injection vulnerability (CWE-78) in RustFly 2.0.0, published on 2026-02-19. The flaw exists in the software's remote UI control mechanism, which accepts hex-encoded instructions over UDP port 5005 without proper sanitization. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its potential for severe impact.

Remote, unauthenticated attackers can exploit the vulnerability by sending crafted hex-encoded payloads to UDP port 5005 on affected systems. No privileges or user interaction are required, enabling network-based attacks with low complexity. Successful exploitation grants arbitrary command execution on the target system, including reverse shell establishment and other malicious operations.

Mitigation guidance is available in related advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/rustfly-command-injection-via-udp-remote-control and PacketStorm at https://packetstorm.news/files/id/215819/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target…

more

system, including reverse shell establishment and command execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

CVE enables remote unauthenticated command injection via UDP service, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78
CVE-2026-22901Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2026-6349Shared CWE-78
CVE-2025-9588Shared CWE-78
CVE-2026-24689Shared CWE-78
CVE-2025-0457Shared CWE-78

Affected Assets

Packetstorm
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of hex-encoded inputs received over UDP port 5005 to prevent command injection exploits.

prevent

Requires timely remediation of the specific sanitization flaw in RustFly 2.0.0 via patching or upgrades.

prevent

Enforces boundary protections such as firewalls to block unauthorized inbound traffic to the exposed UDP port 5005.

References