What Is RCE (Remote Code Execution)?

RCE (Remote Code Execution) is a vulnerability that lets an attacker execute arbitrary code on a target system over the network — without prior authentication, in the worst case. RCE is the top-impact class in most threat models because it lets the attacker establish a foothold and pivot to the rest of the environment. CWE-94 (Code Injection) + CWE-77 (Command Injection) are the umbrella categories.

• Command injection — user input concatenated into shell commands (exec("convert " + filename))
• Server-side template injection (SSTI) — user input rendered in a template engine that allows code execution (Jinja2, Twig, Velocity)
• Deserialization of untrusted data — PHP unserialize(), Python pickle.loads(), Java readObject(), .NET BinaryFormatter
• File upload + interpretation — uploading a .php file to a path the server interprets
• Library vulnerabilities — the Log4Shell / Spring4Shell / ImageMagick "ImageTragick" pattern: a dependency parses user input and exposes a code-execution gadget

For every input vector reaching a possible interpreter (shell, template engine, deserializer, file path), the validator constructs a callback payload that, if executed, reaches a SQUR-controlled out-of-band server. Confirmed when the callback fires. The validator captures the server's outbound IP and user-agent — sufficient evidence to demonstrate code execution without leaving artefacts on the target.

Parameterise system calls (never concat user input into shell strings). Use safe deserialization (allow-list of classes; JSON for untrusted data). Avoid template engines that allow arbitrary expression evaluation on untrusted input; if unavoidable, sandbox. Keep dependencies patched (Log4Shell remains exploitable on un-updated systems). For file uploads: validate file type by content, store outside web root, never serve user-uploaded content from the application's execution path.

Related terms

Try SQUR

60-second free attack-surface scan. No signup, no credit card.