What is remote code execution?

A remote code execution (RCE) attack is where an attacker run malicious code on an organization’s computers or network. The ability to execute attacker-controlled code can be used for various purposes, including deploying additional malware or stealing sensitive data.

Learning Objectives

After reading this article you will be able to:

  • What is remote code execution
  • How remote code execution (RCE) attacks work
  • How attackers can use RCE
  • How to prevent remote code execution

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is remote code execution?

A remote code execution (RCE) attack is one where an attacker can run malicious code on an organization’s computers or network. The ability to execute attacker-controlled code can be used for various purposes, including deploying additional malware or stealing sensitive data.

How remote code execution (RCE) attacks work

Remote code execution attacks generally occur via vulnerabilities in web applications and network infrastructure.

Remote code execution vulnerabilities are flaws in software that allow an attacker to run malicious code on a target system. Several types of vulnerabilities can be used for RCE, including the following examples:

  • Injection vulnerabilities: An injection vulnerability — such as SQL injection or command injection — is enabled by poor input sanitization. If a user provides a carefully-crafted, malicious input, some of their provided data will be interpreted as commands to be run. This allows the attacker to force the vulnerable system to execute attacker-provided code.
  • Insecure deserialization: Serialization simplifies the transmission of sets of data by packing it into a single string of bits to be unpacked by the recipient system. However, if the structure of serialized data is not well defined, an attacker may be able to craft an input that is misinterpreted when it is unpacked. Depending on how the data is stored and processed, this misinterpretation may allow the attacker to achieve code execution.
  • Out-of-bounds write: A buffer is a fixed-size piece of memory that is allocated to store data. Insecure data reads or writes could allow an attacker to place data where it would be interpreted as code or as important control flow information for the application.
  • File management: Some applications allow users to upload files to a server. The access that this provides may allow an attacker to upload a file containing malicious code and trick the application into executing it.

Malware is attacker-provided code that is designed to be executed on a target system. An RCE vulnerability simply allows an attacker to deploy malware in different ways.

As a result, RCE vulnerabilities can be used to achieve many of the same goals as traditional malware. RCE can be used to deploy malware on a vulnerable system, perform a denial-of-service (DoS) attack, or access sensitive information stored on a system.

How attackers can use RCE

Remote code execution is is dangerous because the ability to run malicious code provides an attacker with a variety of options. Some of the ways that RCE vulnerabilities can be used to further common attacks include the following:

  • Remote access: RCE vulnerabilities are commonly used to give an attacker an initial foothold on a corporate network that they could then expand. For example, an RCE vulnerability could allow an attacker to steal login credentials that would allow them network access via a VPN.
  • Malware deployment: Though RCE vulnerabilities allow code execution, this code may be limited in scope. . To get around this limitation, attackers may use RCE to download and execute other, more destructive malware. For example, RCE could be used to download and execute ransomware on a vulnerable system.
  • Data theft: RCE vulnerabilities could allow an attacker to run commands within a vulnerable application. This may provide access to the filesystem, databases, and other stores of sensitive corporate and customer data.
  • Data destruction: RCE vulnerabilities could allow an attacker to run DROP commands within a database or execute code within the system terminal. This access provides the same ability to delete files that a legitimate user would have
  • DoS attacks: Out-of-bounds write vulnerabilities allow an attacker to overwrite critical code, crashing an application. Other RCE vulnerabilities could allow the termination of processes or the deletion of vital data.

How to prevent remote code execution

Remote code execution attacks are made possible by vulnerabilities in corporate web applications. Some of the methods companies can use to reduce their exposure to RCE attacks include the following:

  • Vulnerability scanning: A combination of static code analysis — to identify well-known vulnerability patterns — and dynamic analysis like fuzzing can help developers identify and correct RCE vulnerabilities before they can be exploited.
  • Updating and patching: RCE vulnerabilities may be discovered in an application or the third-party libraries that it depends on. Promptly applying updates and patches reduces the window during which vulnerable code could be exploited.
  • Input validation: Most RCE vulnerabilities involve poor input validation, where an application makes assumptions about user-provided data. Robust input validation can eliminate the threat of most RCE vulnerabilities.
  • Network monitoring: Attempted RCE exploits can be detected and blocked by a web application and API protection (WAAP) solution. Deploying network security solutions in front of web applications can reduce the potential risks of unpatched vulnerabilities.

Protect against RCE with Cloudflare One

As web applications increasingly move to cloud-based hosting, securing them against exploitation becomes more difficult. The Cloudflare Web Application Firewall uses a massive array of global threat intelligence to block remote code execution attempts.

In addition, Cloudflare One, Cloudflare’s Secure Access Service Edge (SASE) platform, provides robust security and monitoring for internal corporate applications.