Description
Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection exists in Raynet RVIA version 12.6 Update 8 and earlier, enabling an attacker to execute arbitrary code when a specially crafted path is used in the Java search operation. The unsanitized path feeds into the system’s find command, allowing the attacker to inject arbitrary shell commands. The flaw provides full control over the affected machine once exploited.

Affected Systems

Raynet RVIA (Remote Virtual Interface Agent) is affected. Versions 12.6 Update 8 and all prior releases are vulnerable; no newer versions have been reported as impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating high severity. No EPSS information is available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring access to the component that performs the Java search; exact exploitation requires the attacker to supply a crafted path, but remote access would suffice. The potential impact is significant, as arbitrary code execution on the host can lead to full system compromise.

Generated by OpenCVE AI on May 27, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Raynet RVIA patch that removes the unsafe path handling
  • Disable the Java search feature in RVIA if a vendor fix is not yet available
  • Restrict network access to the RVIA component to limit exposure to potential attackers

Generated by OpenCVE AI on May 27, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Raynet
Raynet rvia
Vendors & Products Raynet
Raynet rvia

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Title Command Injection via Improper Path Handling in Raynet RVIA

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Command injection in Raynet rvia version 12.6.4392.49-amd64.deb allows adversaries to execute arbitrary Java code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command. Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Command injection in Raynet rvia version 12.6.4392.49-amd64.deb allows adversaries to execute arbitrary Java code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.
References

Subscriptions

Raynet Rvia
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T15:53:50.958Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38945

cve-icon Vulnrichment

Updated: 2026-05-27T17:08:39.774Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T17:16:34.207

Modified: 2026-06-01T18:12:56.073

Link: CVE-2026-38945

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:29Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')