What is remote code execution (RCE)?
Last reviewed June 2, 2026
Remote code execution (RCE) is a vulnerability that lets an attacker run arbitrary code on a target system over a network, usually without authentication. It is among the most severe flaw types because it can mean full compromise of the host. RCE arises from injection, unsafe deserialization, and memory-corruption bugs, and is prevented by validating input and avoiding dynamic code or command execution.
What remote code execution is
Remote code execution means an attacker can cause a target system to execute code of their choosing across a network. The most direct underlying weakness is CWE-94 (Improper Control of Generation of Code, also called Code Injection), where untrusted input ends up being interpreted as program code.
RCE is the practical worst case for most systems: once an attacker runs code on a host, they can read data, install malware, pivot deeper into the network, and establish persistence. CVSS scores for unauthenticated RCE frequently land in the Critical band.
How the attack works
A classic example is an application that builds a shell command from user input, such as ping -c 1 $host. If the attacker sets host to 127.0.0.1; rm -rf /, the server runs both the ping and the destructive second command. A related code-injection example is calling a language eval() on attacker-controlled text, which executes whatever expression the attacker supplies.
RCE also emerges indirectly. Insecure deserialization can instantiate attacker-chosen objects that run code, template injection can evaluate expressions, and memory-corruption bugs can redirect execution to attacker-supplied instructions. The common thread is that data crosses the boundary into being treated as code.
Real-world impact
- Full control of the affected server or application process.
- Data theft, ransomware deployment, and destruction of data.
- Use of the host as a foothold for lateral movement across the network.
- Worms that self-propagate, as seen in several high-profile RCE outbreaks.
How to prevent it
- Never pass untrusted input to eval, dynamic code generation, or template engines that evaluate expressions.
- Avoid invoking the OS shell; when you must run a process, use parameterized APIs that pass arguments as an array rather than a single string.
- Validate input against strict allowlists and reject unexpected characters.
- Patch promptly: many RCEs are in libraries and frameworks where a vendor fix already exists.
- Run services with least privilege and sandboxing so a successful RCE is contained.
Keep exploring
- CWE-94: Code InjectionThe MITRE weakness entry RCE most directly maps to.
- What is insecure deserialization?A common path to remote code execution.
- What is SQL injection?An injection class that can escalate to code execution.
- How to prioritize vulnerabilitiesWhy critical RCEs rise to the top of remediation queues.
- What is command injection?Running OS commands through unsanitized input.
- What is Metasploit?The framework for authorized penetration testing.
Frequently asked questions
- What is remote code execution in simple terms?
- It is a flaw that lets an attacker run their own commands or programs on a remote machine over the network, effectively taking control of it.
- What causes RCE vulnerabilities?
- Common causes are command and code injection, insecure deserialization, server-side template injection, and memory-corruption bugs. In each, attacker-controlled data ends up being executed as code.
- How serious is an RCE vulnerability?
- It is usually among the most serious. Unauthenticated, network-reachable RCE often scores Critical on CVSS because it can lead to complete compromise of the host.
- Which CWE covers remote code execution?
- RCE most directly maps to CWE-94, Improper Control of Generation of Code (Code Injection), though specific instances may also relate to command injection or deserialization weaknesses.
