Qinglong Task Scheduler Vulnerabilities Exploited for Cryptomining Attacks

Qinglong Task Scheduler Vulnerabilities Exploited for Cryptomining Attacks

First seen 29 Apr 2026, 21:37 UTC Bleepingcomputersnyk.ioGbhackersCybersecuritynewsScworld 84% similarity 72.6

Article Content

Browse articles
ThreatCluster

In early February 2026, hackers exploited two critical authentication bypass vulnerabilities in the Qinglong task scheduling platform, affecting versions 2.20.1 and earlier. These vulnerabilities, identified as CVE-2026-3965 and CVE-2026-4047, allowed unauthenticated remote code execution, enabling attackers to deploy a cryptominer binary named .fullgc on compromised servers. The attacks were first reported by users experiencing high CPU usage due to the hidden process, which mimicked a legitimate system process to evade detection. The vulnerabilities stemmed from a mismatch between the security middleware's assumptions and the Express.js routing behavior. Despite the initial reports, the Qinglong maintainers only acknowledged the issue on March 1, 2026, urging users to update their systems. However, the initial mitigation was insufficient, and a more effective fix was implemented later. The exploitation has been confirmed across various setups, including those behind Nginx and SSL. The situation highlights the risks associated with publicly exposed application panels.

Key Points: • Two critical vulnerabilities in Qinglong allow unauthenticated remote code execution. • Attackers deployed a cryptominer named .fullgc, causing significant CPU resource drain. • Initial mitigations were ineffective, leading to further exploitation before a proper fix was issued.

ThreatCluster AI

Timeline

2025-03-21
CVE-2025-29927 published
2026-02-07
Exploitation of vulnerabilities in Qinglong begins.
2026-02-27
Authentication bypass vulnerabilities reported.
2026-03-01
Qinglong maintainer acknowledges vulnerabilities.
2026-03-11
CVE-2026-3965 published.
2026-03-11
CVE-2026-4047 published.
2026-04-29
Snyk reports on ongoing exploitation and mitigation efforts.

Community

Browse all →