Two critical vulnerabilities in a popular cloud migration and backup utility are being exploited to execute unauthorized commands on backup servers. These flaws target the remote control interface of the tool, allowing attackers to hijack active data transfers and exfiltrate cloud credentials.
The most dangerous of the two, CVE-2026-41179, resides in the “bearer_token_command” functionality of Rclone. An unauthenticated attacker can supply a malicious backend definition that executes local commands during initialization. This provides a direct path to remote code execution on any server where the Rclone remote control ❨RC❩ interface is enabled without proper authentication.
Rclone is frequently used for massive cloud migrations and automated backups, meaning a compromise here grants the attacker access to all data being transferred. The exploitation of migration tools is a strategic move to compromise the entire cloud data footprint of an organization at the moment of transit.
– Upgrade Rclone to version 1.73.5 or higher immediately to neutralize the RCE path.
– Verify that the Rclone remote control interface is not public-facing and that “rc-no-auth” is not enabled in production.
– Monitor for anomalous child processes spawned by rclone.exe or rclone binaries on backup and automation servers.
– Rotate all cloud API keys and service account tokens that were managed or utilized by unpatched Rclone instances.
The security of the migration channel is as critical as the security of the destination; its compromise is a total loss event for data integrity. #CodeDefence #Rclone #CloudSecurity #RCE
/
