Back

Qinglong Task Scheduler Vulnerabilities Exploited for Cryptomining Attacks

Severity: High (Score: 72.6)

Sources: Gbhackers, snyk.io, Bleepingcomputer, Cybersecuritynews

Summary

In early February 2026, hackers exploited two critical authentication bypass vulnerabilities in the Qinglong task scheduling platform, affecting versions 2.20.1 and earlier. These vulnerabilities, identified as CVE-2026-3965 and CVE-2026-4047, allowed unauthenticated remote code execution, enabling attackers to deploy a cryptominer binary named .fullgc on compromised servers. The attacks were first reported by users experiencing high CPU usage due to the hidden process, which mimicked a legitimate system process to evade detection. The vulnerabilities stemmed from a mismatch between the security middleware's assumptions and the Express.js routing behavior. Despite the initial reports, the Qinglong maintainers only acknowledged the issue on March 1, 2026, urging users to update their systems. However, the initial mitigation was insufficient, and a more effective fix was implemented later. The exploitation has been confirmed across various setups, including those behind Nginx and SSL. The situation highlights the risks associated with publicly exposed application panels. Key Points: • Two critical vulnerabilities in Qinglong allow unauthenticated remote code execution. • Attackers deployed a cryptominer named .fullgc, causing significant CPU resource drain. • Initial mitigations were ineffective, leading to further exploitation before a proper fix was issued.

Key Entities

  • Malware (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2025-29927 (cve)
  • CVE-2026-3965 (cve)
  • CVE-2026-4047 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • CWE-862 - Missing Authorization (cwe)
  • file.551911.xyz (domain)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • T1203 - Exploitation for Client Execution (mitre_attack)
  • Docker (tool)
  • Nginx (tool)
  • Curl (tool)
  • wget (tool)
  • Express.js (platform)
  • Linux (platform)
  • MacOS (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed