In 2025, there were more than 48,000 vulnerabilities published, amounting to over a 20% increase from 2024. More troubling than the sheer volume of vulnerabilities in 2025 is that more than a third of them were given a rating of “high” or “critical” severity.
For security teams already stretched too thin, a proactive vulnerability management plan that patches or otherwise remediates all vulnerabilities is too far out of reach. The objective for most IT and security teams, then, becomes prioritisation based on risk and business goals. And, when it comes to the vulnerabilities most dangerous to an organisation’s cybersecurity, one type has risen to the forefront: remote code execution (RCE).
In fact, according to Arctic Wolf threat intelligence researchers, half of the top 10 vulnerabilities of 2024 were RCEs. With the continued adoption of the cloud and the ubiquity of hybrid work models, we only expect these types of vulnerabilities to grow in number and severity. Clearly, RCEs are having a moment, and their continued rise poses real cyber risk to organisations across the globe.
What is Remote Code Execution?
Often launched directly from the internet, remote code execution gives the attacker the ability to take control over a process or device and run their own code remotely, without needing to be in the same physical space as the system or device. This separates it from an arbitrary code execution (ACE), which is launched from within a system’s local area network (LAN). Through remote code execution, an attacker can run code from outside the system that triggers an internal ACE.
Once an attacker successfully exploits an RCE vulnerability, they can potentially take complete control over the target system, allowing them to steal sensitive data, disrupt operations, or launch further attacks. Let’s examine a hypothetical cyber attack using RCE to see how threat actors leverage it.
A Hypothetical Attack on a Manufacturing Organisation
It starts with a contractor’s VPN account — phished through an AI-composed email and followed by enough verification prompts to cause MFA fatigue. Once the threat actor gets the target to grant access, they slip into the network, landing on a jump host that bridges IT and OT. From here, they pivot quietly.
Using living-off-the-land tools like PowerShell and PsExec, they execute commands remotely, exploiting misconfigured services and admin consoles. A lightweight backdoor is dropped, hidden in memory, and persistence is set via scheduled tasks. Outbound traffic blends into normal cloud chatter.
Next, they escalate. LSASS memory yields privileged credentials — an engineering account with local admin rights across MES servers. With remote execution, they move laterally, accessing files, backups, and batch records. Data is staged, compressed, and exfiltrated to a cloud storage endpoint.
Impact comes fast: servers are encrypted, halting production. A ransom note threatens to leak proprietary formulations and supplier contracts. The attack avoids direct PLC tampering — too risky — but it cripples upstream systems that keep the plant running.
Persistence is reinforced through GPO scripts and WMI event subscriptions. Logs are selectively wiped, and EDR agents are disabled. The attacker now controls the heartbeat of this organisation’s manufacturing operations.
Infamous RCE Attacks
WannaCry
Perhaps the most insidious of all ransomware strains, WannaCry brought ransomware into the mainstream in 2017. The WannaCry ransomware worm spread by exploiting a vulnerability in the Server Message Block Protocol (SMB). This vulnerability allowed an attacker to execute malicious code on vulnerable machines, enabling the ransomware to access and encrypt valuable files.
WannaCry managed to affect more than 200,000 Windows computers in 150 countries. It was especially dangerous — and potentially deadly — as the UK’s National Health Service Hospitals were among the most devastated. The Five Eyes Alliance — an intelligence alliance consisting of Australia, Canada, New Zealand, the United Kingdom, and the United States — have attributed the attack to North Korean threat actors.
SolarWinds
In one of the most catastrophic data breaches of 2020, the Russian SVR leveraged a zero-day RCE vulnerability in the SolarWinds Orion Platform to deploy malware across an estimated 18,000 private and government affiliated networks, gaining access to an abundance of identifiable information, including source code, passwords, financial information, and usernames.
Log4j / Log4Shell
In early December 2021, Log4Shell (CVE-2021-44228) was first identified as a zero-day remote code execution vulnerability in Apache Log4j 2. An unauthenticated, remote threat actor could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of Log4j. Arctic Wolf Labs observed one in four organisations in our customer base were targeted with Log4Shell exploitation attempts between January and December of 2022. Log4Shell exploitation was the root point of compromise in 11% of all Arctic Wolf® Incident Response cases in 2022 for customers where incident response services were the customer’s first engagement with Arctic Wolf.
Spring4Shell
In late March 2022, Spring published a security advisory confirming Spring4Shell, a remote code execution (RCE) vulnerability in the Spring Framework. In addition to the security advisory, Spring released patches addressing the vulnerability. The vulnerability, assigned CVE-2022-22965, received a critical severity rating. Notably, the vulnerability impacted not only Spring MVC but also Spring WebFlux applications running JDK 9+. Threat actors were able to leverage this vulnerability to deploy cryptominers and botnet malware into environments.
Apache Struts
On 13 December 2023, threat actors began exploitation attempts against CVE-2023-50164, a critical-severity remote code execution (RCE) vulnerability impacting Apache Struts, an open-source framework used to create Java Web applications. The vulnerability allowed a remote threat actor to modify file upload parameters to enable path traversal, which could then allow a threat actor to upload a malicious file to perform RCE.
ToolShell RCE
On 19 July 2025, Microsoft disclosed active exploitation of a ToolShell RCE vulnerability observed in Microsoft SharePoint on-premises server instances. Caused by the deserialisation of untrusted data, independent reporting identified exploitation of the vulnerability affected a number of organisations across government agencies, multinational corporations, and organizations in the banking sector.
The Major Types of Remote Code Execution
RCE vulnerabilities allow an attacker to execute arbitrary code on a remote system. This means that an attacker can gain unauthorised access to a system and execute commands or run programs remotely, without having or needing physical access to the target system.
It’s become such a popular vulnerability type for exploit because it gives threat actors initial access into a target network without the need to, for example, execute an identity-based attack like social engineering, which can give them valid credentials to provide that same initial access. With RCE, threat actors can remotely enter a network without relying on credentials at all.
There are several ways a threat actor can achieve remote code execution, including:
Injection
An injection exploit executes malicious queries to take control of a database server that is running a web application. For instance, in a SQL injection, the threat actor injects malicious data the system interprets as a command, allowing them to bypass authentication and authorisation of the app to retrieve data from the entire SQL database. It can also be used to add, modify, or delete data from the database.
Deserialisation
Serialisation is the transformation of an object, such as a file folder, into a format that can be preserved, stored, and transmitted — much in the way a .zip file allows you to send a folder containing multiple files as a single unit. Deserialisation, then, is the process of undoing that transformation so that the object can be read and/or executed. However, if the deserialised object is unencrypted, threat actors can modify it with malicious code, which leads to unauthenticated RCE.
Out-of-Bounds Write
In this exploit, a threat actor leverages a software’s incorrectly formatted memory allocation to write data beyond the boundaries of a buffer — a temporary data storage location utilised while data is in transfer — which leads to the execution of arbitrary code.
Improper Input Validation
When software applications do not properly sanitise user input, it can allow attackers to upload a file containing malicious code, which the application then executes, believing it to be valid.
The important thing to note is that remote code execution is possible in any computer software or application and is not restricted by programming languages or operating systems. This is another reason why RCE exploits have risen so sharply in the past few years, with no signs of slowing down.
How To Defend Against Remote Code Execution
One of the primary ways to prevent RCE is through timely software updates and patches. As vulnerabilities are discovered in software or an application, the companies behind them will release updates or patches to users. Ensuring that you’re staying on top of this and keeping your software and applications current will help reduce the risk of RCE.
Another effective — and more proactive — method of preventing RCE is through a vulnerability management program. Many critical severity CVEs that are discovered lead to RCE so it’s important to scan for vulnerabilities in your environment and stay on top of your patching schedule.
Because every organisation has different security and business needs that can change, the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that reduces risk over time.
The reality is you can’t patch every vulnerability that appears. However, having a regular patching process in place and proactively working on vulnerability management can make a major difference in your cybersecurity architecture, reducing the risk of a breach.
When To Partner With a Third Party
Many IT and security teams struggle under a lack of budget and a shortage of available security experts, meaning that providing 24×7 monitoring of their entire environment, as well as prompt detection and response, is already a great challenge. Viewed through that lens, adding proactive vulnerability and risk management to that workload is a non-starter.
That’s when partnering with a security operations solutions provider can provide valuable assistance in determining your organisation’s unique risk appetite — the amount of risk you’re willing to take on to conduct business — as well as patching and mitigating the vulnerabilities that are most dangerous to your organisation.
A managed security operations provider like Arctic Wolf® not only provides 24×7 monitoring, detection, and response from a seasoned team of security experts, but can also discover and assess the risks in your environment by contextualising your attack surface coverage across your networks, endpoints, and cloud environments, helping you implement effective vulnerability management while improving your security posture.
