CVE-2026-27182

HighPublic PoC

Published: 18 February 2026

Published

18 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Saturn Remote Mouse Server contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending specially crafted UDP JSON frames to port 27000. Attackers on the local network can send malformed packets with unsanitized command data…

that the service forwards directly to OS execution functions, enabling remote code execution under the service account.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of specially crafted UDP JSON inputs before forwarding to OS execution functions.

SC-41 Port and I/O Device Access good match

prevent

Prevents unauthenticated local network attackers from reaching the vulnerable UDP port 27000 by restricting ports, protocols, and services.

SI-2 Flaw Remediation good match

prevent

Addresses the root cause by mandating identification, reporting, and correction of the specific command injection flaw via vendor patches.

Security SummaryAI

CVE-2026-27182 is a command injection vulnerability in Saturn Remote Mouse Server. The flaw allows unauthenticated attackers to execute arbitrary commands by sending specially crafted UDP JSON frames to port 27000. Attackers on the local network can send malformed packets containing unsanitized command data, which the service forwards directly to OS execution functions, resulting in remote code execution under the service account. The vulnerability carries a CVSS score of 8.4 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306: Missing Authentication for Critical Function.

Attackers positioned on the local network can exploit this issue without privileges or user interaction by crafting and transmitting UDP packets to the affected port. Successful exploitation leads to arbitrary command execution with the privileges of the Saturn Remote Mouse Server service account, potentially enabling full system compromise, data theft, persistence, or lateral movement within the network.

Advisories provide further details on the issue, including those published by VulnCheck at https://www.vulncheck.com/advisories/saturn-remote-mouse-server-udp-command-injection-rce, PacketStorm at https://packetstorm.news/files/id/215835/, and the vendor site at https://www.saturnremote.com/. Security practitioners should consult these resources for recommended mitigations, such as blocking UDP port 27000 or applying any available patches.

Details

CWE(s): CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution through command injection in a network-accessible service (UDP port 27000), directly facilitating T1210: Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://packetstorm.news/files/id/215835/
disclosure@vulncheck.com
https://www.saturnremote.com/
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/saturn-remote-mouse-server-udp-command-injection-rce
disclosure@vulncheck.com