Remote Code Execution (RCE) Attack: Definition, Examples, and Protection

What Is Remote Code Execution?

Remote code execution (RCE), also known as code injection or remote code evaluation, is a technique to exploit an application's input validation flaws to execute malicious code over a network. Specifically, it is an arbitrary code execution (ACE) attack done remotely.

RCE vulnerabilities occur when an application fails to validate and sanitize user input or dynamic evaluation calls. Without strict input validation, an interpreter cannot differentiate valid inputs from malicious commands, leading it to execute all commands within the code.

This injection of code is what separates RCE from command injection vulnerabilities, where a threat actor executes arbitrary commands on the host operating system instead of the application.

RCE is often found at the end of a long chain of exploits such as server-side request forgery and obfuscation. It is the end game, the final step in a wide range of attacks, from ransomware to crypto mining to data theft. As such, many RCE vulnerabilities are rated by the National Institute of Standards and Technology (NIST) as high or critical threats due to their severe impact on an application's integrity, confidentiality, and availability.

Indeed, some of the most widespread and damaging threats in the last decade exploit RCE at their core—Log4Shell, WannaCry, Tesla Crypt—just to name a few. And of the 15 most routinely exploited vulnerabilities rated by the Cybersecurity & Infrastructure Security Agency (CISA) in 2021, nine out of 15 are RCEs.

Protection Against Remote Code Execution

Three key actions can significantly reduce your exposure to RCE attacks.

First, sanitize and validate inputs. Start with a comprehensive scan of your application using a static code checking tool to uncover vulnerabilities, then implement safeguards around user input like whitelisting expected values and escaping special symbols. Disallow dynamic evaluation constructs altogether and use one of the many safe alternatives to reading strings as code (e.g., call function, call static method, call instance method of object).

Second, establish a patch management process. Because many RCE attacks stem from zero-day vulnerabilities, patching may be the most effective and fastest way to nullify an RCE threat. For example, a fast-evolving vulnerability such as Log4Shell required at least four patches from multiple vendors within a month as new vulnerabilities were discovered. In this environment, a standardized, automated process for keeping your systems up to date will go a long way in keeping your organization safe.

Finally, use a network detection and response solution to monitor both east-west and north-south traffic. Having this last line of defense will allow you to detect and mitigate zero-day RCE vulnerabilities and any malicious behavior within your network such as unexpected user logins, database enumeration, network scanning, and more.

History of Remote Code Execution

Remote code execution is one of the oldest and most popular vectors for malware to propagate and remains one of the most dangerous vulnerabilities on the threat landscape today.

It's been on the CWE/SANS Top 25 Most Dangerous Programming Errors list since its inception in 2009, coming in at number 25 in 2022. RCE attacks also rank highly on the OWASP Top 10, which is an annual list of web application threats compiled by the Open Web Application Security Project (OWASP). It was third on the list in 2021.

Though it may not be easy to discover an RCE vulnerability, they can spread with incredible speed due to the relatively low level of skill required to exploit them. The Log4Shell vulnerability found in December 2021 is a good reminder of just how damaging RCE can be.