Description
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration.

To remediate this issue, users should upgrade to version 1.103.0.
Published: 2026-04-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutrality of user-supplied input in the FSx Windows File Server volume mounting component of Amazon ECS Agent allows a command injection flaw, identified as CWE-78. An attacker who can create or modify an ECS task definition, or write to the Secrets Manager or SSM Parameter Store used by the FSx configuration, can supply a specially crafted username in the task definition. The agent then executes the content as part of an operating‑system command with SYSTEM privileges on the Windows host, effectively giving the attacker full control of the underlying EC2 instance.

Affected Systems

All Windows installations of the Amazon ECS Agent older than version 1.103.0 are vulnerable. The issue is limited to the ECS Agent on Windows; other operating systems are unaffected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the attacker to be authenticated to AWS with permissions to register ECS task definitions or to write secrets used by the FSx volume. Based on the description, the likely attack vector is a privileged, authenticated, remote attacker who can provision ECS tasks or modify secrets.

Generated by OpenCVE AI on May 1, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amazon ECS Agent to version 1.103.0 or later.
  • If an upgrade is not possible immediately, audit and remove any IAM permissions that allow registering ECS task definitions or writing to Secrets Manager or SSM Parameter Store for FSx volume configuration scenarios.
  • Confirm that no task definitions contain the vulnerable username field or legacy secret references, and consider rotating associated secret credentials to mitigate potential exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.
Title OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials
First Time appeared Aws
Aws amazon Ecs Agent
Weaknesses CWE-78
CPEs cpe:2.3:a:aws:amazon_ecs_agent:*:*:windows:*:*:*:*:*
Vendors & Products Aws
Aws amazon Ecs Agent
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Aws Amazon Ecs Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-01T03:56:01.010Z

Reserved: 2026-04-29T18:10:54.263Z

Link: CVE-2026-7461

cve-icon Vulnrichment

Updated: 2026-04-30T19:08:21.825Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T19:16:10.737

Modified: 2026-05-01T15:26:51.053

Link: CVE-2026-7461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:08Z

Weaknesses