Exploitation of RCE Vulnerabilities in Qinglong Task Scheduler Fuels Cryptomining Across Developer Environments
What Happened — Researchers at Snyk reported that threat actors have been chaining two authentication‑bypass flaws (CVE‑2026‑3965 and CVE‑2026‑4047) in the open‑source Qinglong task‑scheduling platform (≤ v2.20.1) to achieve remote code execution and install cryptominers on self‑hosted servers. Activity began in early February 2026, predating public disclosure.
Why It Matters for TPRM —
- The vulnerable component is widely forked (3,200+ forks) and embedded in many third‑party SaaS and CI/CD pipelines, expanding the attack surface.
- Cryptomining hijacks compute resources, inflating cloud bills and potentially violating service‑level agreements with downstream customers.
- The exploit demonstrates how mismatched middleware logic can create “zero‑day‑like” conditions even in mature open‑source projects.
Who Is Affected — Technology SaaS providers, cloud‑native infrastructure teams, DevOps tooling vendors, and any organization that self‑hosts Qinglong for job scheduling or automation.
Recommended Actions —
- Immediately upgrade to the patched release (PR #2941) or apply the vendor’s mitigation commit.
- Conduct an inventory of all Qinglong instances and verify version compliance.
- Review server logs for the hidden “.fullgc” process and unexpected outbound connections to file.551911.xyz.
- Implement strict network segmentation and runtime monitoring to detect anomalous CPU usage.
Technical Notes — The flaws stem from a rewrite‑rule misconfiguration and case‑sensitivity mismatch in Express.js routing, allowing unauthenticated access to admin endpoints and subsequent command injection. Exploited via remote HTTP requests, the attackers dropped miners for Linux x86_64, ARM64, and macOS. Source: BleepingComputer