Critical Remote Code Execution Vulnerability in Microsoft Qlib _mount_nfs_uri Command Injection (CVE‑2026‑XXXXX)
What Happened — A command‑injection flaw in the _mount_nfs_uri function of Microsoft Qlib allows an unauthenticated, network‑adjacent attacker to execute arbitrary code with root privileges. The vulnerability (CVSS 8.8) was disclosed by the Zero Day Initiative and patched on 31 May 2025.
Why It Matters for TPRM —
- The flaw can be weaponised against any third‑party service that embeds Qlib, exposing downstream customers to ransomware or data theft.
- Exploitation does not require credentials, making perimeter defenses insufficient.
- Vendors that rely on Qlib for NFS mounting must verify patch deployment to avoid supply‑chain risk.
Who Is Affected — Cloud‑infrastructure providers, SaaS platforms, and any enterprise that integrates Microsoft Qlib for storage or file‑system operations.
Recommended Actions —
- Confirm that all Qlib installations are updated to the 31 May 2025 patch.
- Conduct an inventory of services that invoke
_mount_nfs_uriand apply compensating controls (e.g., network segmentation, IDS signatures). - Review third‑party risk contracts for clauses on timely vulnerability remediation.
Technical Notes — The vulnerability stems from insufficient validation of a user‑supplied string before it is passed to a system call, resulting in command injection and remote code execution as root. No CVE ID was assigned at disclosure; the advisory is tracked as ZDI‑CAN‑27212. Source: Zero Day Initiative advisory