Description
RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.
Published: 2026-02-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

RustFly 2.0.0 includes a command injection flaw in its remote User Interface that processes hex‑encoded instructions received over UDP port 5005. Unsanitized input allows attackers to embed arbitrary system commands in the payload, which the device then executes. This flaw can be used to run commands locally, including the deployment of a reverse shell, thereby compromising the confidentiality, integrity, and availability of the affected system.

Affected Systems

The only documented affected version is Bixat RustFly firmware 2.0.0. No additional product versions or releases are listed as vulnerable.

Risk and Exploitability

Based on the description, the attack vector is remote network access to UDP port 5005. The CVSS score of 9.3 denotes a critical severity, while the EPSS score of < 1 % indicates a very low likelihood of exploitation in the wild. Although widespread abuse is not yet documented and the flaw is not listed in CISA’s KEV catalog, the impact of successful exploitation—arbitrary local command execution including reverse shells—would severely compromise confidentiality, integrity, and availability of the device.

Generated by OpenCVE AI on April 18, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any firmware update that addresses the command injection flaw as soon as it is released.
  • Block or restrict UDP traffic on port 5005 to trusted networks using firewall rules; consider disabling the remote UI control if not required.
  • Secure access to the remote UI by enforcing authentication and, if possible, restricting it to a VPN or other secure tunnel from controlled hosts.
  • Monitor network traffic for unexpected UDP packets on port 5005 and audit executed commands for signs of exploitation.

Generated by OpenCVE AI on April 18, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bixat
Bixat rustfly
Vendors & Products Bixat
Bixat rustfly

Thu, 19 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send crafted hex-encoded payloads containing system commands to execute arbitrary operations on the target system, including reverse shell establishment and command execution.
Title RustFly 2.0.0 Command Injection via UDP Remote Control
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Bixat Rustfly
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-20T20:03:30.129Z

Reserved: 2026-02-19T19:39:03.528Z

Link: CVE-2026-27476

cve-icon Vulnrichment

Updated: 2026-02-20T20:03:21.696Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T21:18:33.503

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses