Remote Code Execution (RCE)

A Remote Code Execution vulnerability lets an attacker run their own code on a target system over a network, without first needing to be logged in as a user on that system. RCE is the most-impactful class of software vulnerability: success usually means the attacker can read or modify any data the application can, install malware, pivot deeper into the network, or take the service offline.

Why it matters

RCE flaws are routinely chained into ransomware deployments, supply-chain compromises, and large-scale data theft. Several of the most consequential security incidents of the past decade — Log4Shell (CVE-2021-44228), Shellshock (CVE-2014-6271), Equifax/Apache Struts (CVE-2017-5638) — were RCE bugs. When CISA adds a CVE to its Known Exploited Vulnerabilities catalog, it is most often because attackers are using an RCE.

How we identify RCE on this site

The RCE badge on a CVE page is deterministic. We emit it when both of the following are true:

CVSS attack vector is Network (AV:N) and at least one impact (Confidentiality, Integrity, or Availability) is HIGH; and
The CVE is mapped to a CWE in the code-execution family: CWE-77 (Command Injection), CWE-78 (OS Command Injection), CWE-94 (Code Injection), CWE-95 (Eval Injection), CWE-502 (Deserialization of Untrusted Data), or CWE-917 (Expression Language Injection).

Requiring both signals to agree keeps the badge meaningful — for instance, a network-reachable information-disclosure bug (AV:N but no code-execution CWE) does not qualify, and a deserialization flaw exploited only from a local prompt (AV:L) does not qualify either.

What to do when you see the badge

RCE bugs deserve priority. Check the Mitigating Controls section on the CVE page for the strongest NIST 800-53 r5 controls our analysis recommends. For internet-exposed services, patching or upstream mitigation should usually be done within hours, not weeks.