Back

Cryptomining Attacks Exploit RCE Vulnerabilities in Qinglong Scheduler

Severity: High (Score: 69.8)

Sources: snyk.io, Bleepingcomputer

Summary

In early February 2026, hackers began exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling platform, affecting versions 2.20.1 and earlier. The vulnerabilities allowed unauthenticated remote code execution (RCE), enabling attackers to deploy a cryptominer binary named '.fullgc' on compromised servers. The attacks were first reported by users who noticed high CPU usage due to the rogue process. The vulnerabilities stem from a mismatch between the application's security middleware and Express.js routing behavior, leading to unauthorized access to admin functionalities. The first vulnerability (CVE-2026-3965) was published on March 11, 2026, while the second (CVE-2026-4047) was disclosed shortly after. Attackers modified configuration files to inject shell commands that downloaded the miner from a remote resource. Despite initial reports, the Qinglong maintainers only acknowledged the issue on March 1, 2026, urging users to update. Effective mitigation was achieved with a patch released later in March. Key Points: • Two critical RCE vulnerabilities in Qinglong allowed cryptomining attacks since February 2026. • The vulnerabilities affect versions 2.20.1 and earlier, enabling unauthorized access to admin features. • The '.fullgc' cryptominer process was designed to evade detection by mimicking legitimate system processes.

Key Entities

  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2025-29927 (cve)
  • CVE-2026-3965 (cve)
  • CVE-2026-4047 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • CWE-862 - Missing Authorization (cwe)
  • file.551911.xyz (domain)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1203 - Exploitation for Client Execution (mitre_attack)
  • Docker (tool)
  • Nginx (tool)
  • Curl (tool)
  • wget (tool)
  • Express.js (platform)
  • Linux (platform)
  • MacOS (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed