What is Remote Code Execution (RCE)

Remote Code Execution (RCE) is a critical security vulnerability that allows an attacker to execute code on a target system from a remote location, without physical access to the system. This means an attacker can send specially crafted requests to an application, server, or API and cause it to run malicious commands as if they were part of the system itself.

Because RCE enables attackers to directly control how a system behaves, it is considered one of the most dangerous classes of vulnerabilities in cybersecurity. It’s important to understand that RCE can refer to both the vulnerability in a system that allows for RCE attacks, and an RCE attack (the act of exploiting a system) itself. 

How does a remote code execution vulnerability occur?

RCE vulnerabilities typically arise when applications improperly handle user input or execute commands without sufficient validation. Common causes include insecure deserialization, injection flaws, vulnerable dependencies, misconfigured APIs, and unpatched software.

Common causes of RCE include:

• Injection flaws that allow user input to be interpreted as commands

• Insecure deserialization of user-controlled data

• Vulnerable or outdated third-party libraries and frameworks

• Misconfigured APIs or administrative interfaces

• Unsafe file upload or parsing functionality

Modern applications often rely on complex dependency chains, which increases the risk of unknowingly introducing an RCE vulnerability through third-party components.

Why is remote code execution so dangerous?

RCE is especially dangerous because it can result in complete system compromise. Successful attacks allow bad actors to take over entire systems remotely, and once they have complete control, they may:

• Steal sensitive data like customer information or credentials

• Install malware or ransomware

• Create backdoors for future access

• Disable services or cause outages

• Move laterally to other systems within the environment

Why is RCE a concern for modern applications?

Modern applications are highly distributed, rely heavily on open-source software, and expose APIs to the public internet. This increases both the attack surface and the speed at which vulnerabilities can be exploited. Because RCE vulnerabilities enable immediate and high-impact attacks, they are consistently ranked among the most critical security risks. The new OWASP Top 10 list, in its most recent 2025 edition, named various RCE attack types among its highest security concerns. 

What are common examples of remote code execution attacks?

RCE attacks frequently exploit publicly disclosed vulnerabilities in widely used software. Examples include:

• Exploiting a vulnerable web framework or plugin

• Sending malicious payloads through form fields or API parameters

• Uploading files that are later executed by the server

• Triggering execution flaws in parsers, deserializers, or template engines

Attackers often automate these exploits, scanning the internet for exposed systems shortly after a new RCE vulnerability is disclosed.  The React2Shell vulnerability is an example of how quickly bad actors can take advantage of a newly-discovered  vulnerability, and how severe the consequences can be. 

What are the main RCE attack types? 

Command injection. Injecting operating system commands through unvalidated inputs.
Code injection. Injecting executable code into application runtimes.
Insecure deserialization. Executing code during unsafe object deserialization.
Malicious file uploads. Uploading files that are later executed by the server.
Template injection. Injecting code into server-side templates.
Expression language injection. Exploiting application expression engines.
Vulnerable dependencies. Exploiting RCE flaws in third-party libraries or frameworks.
API misuse. Abusing APIs that allow unsafe execution or administrative actions.
Sandbox or container escape. Breaking out of restricted execution environments.
Memory corruption exploits. Exploiting low-level flaws such as buffer overflows.

How do attackers exploit remote code execution?

Attackers exploit RCE by crafting requests that cause an application to interpret input as executable instructions. Once the malicious code runs, attackers can:

• Execute operating system commands

• Download additional malicious tools

• Modify application logic or configuration

• Access databases or internal services

The speed and automation of these attacks mean that unpatched RCE vulnerabilities can be exploited within hours of disclosure.

How can you detect remote code execution attempts?

Detecting RCE attacks requires visibility into application behavior and traffic patterns. Warning signs may include:

• Unexpected command execution or process creation

• Abnormal API or request payloads

• Unusual outbound connections from servers

• Spikes in error rates or system resource usage

Security controls like  Web Application Firewalls (WAFs), runtime monitoring, and real-time traffic analysis can help identify and block RCE exploitation attempts before they succeed.

How can you prevent remote code execution vulnerabilities?

Preventing RCE requires a layered security approach that combines secure development practices with runtime protection. Key prevention measures include:

• Strict input validation and output handling

• Regular patching of software and dependencies

• Minimizing application privileges using the principle of least privilege

• Secure configuration of APIs and administrative endpoints

• Continuous monitoring, logging, and alerting

• Use of a web application firewall

How does a WAF help protect against RCE?

A WAF helps protect against RCE by inspecting incoming traffic for known exploit patterns, malicious payloads, and suspicious behavior. Advanced WAFs can block both signature-based attacks and anomalous requests that indicate an attempted RCE, even when targeting newly disclosed vulnerabilities.

When deployed at the edge, a WAF can stop RCE attempts before they ever reach the origin infrastructure.

How Fastly can help

Use of a modern security solution like Fastly’s Next-Gen WAF can help identify, block and prevent RCE attacks. It helps by:

Blocking known exploit patterns

WAFs use predefined rules and signatures to detect common RCE techniques, like command injection, code injection, and exploitation of known vulnerabilities. When a request matches a known RCE pattern, the WAF can block it immediately, reducing the risk of attackers exploiting unpatched or newly disclosed vulnerabilities.

Detecting malicious behavior

Beyond static signatures, modern WAFs analyze request behavior to identify suspicious activity that may indicate an RCE attempt. This includes abnormal parameter values, unexpected request structures, or repeated probing designed to trigger execution flaws. Behavioral detection helps protect against evolving or obfuscated attack techniques.

Protecting APIs and dynamic applications

RCE attacks increasingly target APIs and dynamic endpoints rather than traditional web pages. A WAF can enforce schema validation, method restrictions, and request normalization to ensure only expected inputs are processed, significantly reducing the attack surface for RCE vulnerabilities.

Mitigating zero-day exposure

While a WAFcannot fix vulnerable code, it can provide virtual patching by blocking exploit attempts for known and emerging vulnerabilities until a permanent fix is deployed. This is especially important for RCE flaws, which are often exploited rapidly after disclosure.

Reducing blast radius at the edge

When deployed at the edge, a WAF stops RCE attempts before they reach origin servers, limiting the potential impact of an attack. This helps protect backend systems, sensitive data, and internal services from compromise.

Supporting defense in depth

A WAF is most effective as part of a layered security strategy. Combined with secure coding practices, timely patching, least-privilege access, and monitoring, a WAF significantly reduces the likelihood and impact of RCE attacks.