Ethical Hacking News
Hackers exploit two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers, highlighting the importance of timely updates and robust security practices for developers and organizations using this popular software.
The two authentication bypass vulnerabilities, CVE-2026-3965 and CVE-2026-4047, were disclosed publicly in February 2026. Hackers exploited these vulnerabilities to deploy cryptominers on developers' servers, gaining unauthorized access and executing malicious code. The vulnerabilities were found in versions 2.20.1 and older of the Qinglong tool, specifically due to misconfigured rewrite rules and middleware authorization logic issues. Researchers reported that attackers began exploiting these vulnerabilities on February 7, targeting publicly exposed Qinglong panels. The maintainers of Qinglong initially responded with an insufficient mitigation but later released a corrected patch in PR #2941. The incident highlights the importance of regular security audits and updates for open-source software like Qinglong.
In a recent cybersecurity incident, hackers have taken advantage of two authentication bypass vulnerabilities in the popular open-source task scheduling tool, Qinglong. These vulnerabilities, which were disclosed publicly at the end of February 2026, allowed attackers to deploy cryptominers on developers' servers, utilizing the RCE (Remote Code Execution) flaws to gain unauthorized access and execute malicious code. This report delves into the details of this incident, exploring the impact of the vulnerabilities, the methods used by hackers, and the response from Qinglong's maintainers.
The two security problems, CVE-2026-3965 and CVE-2026-4047, were identified in versions 2.20.1 and older of the Qinglong tool. The first vulnerability, CVE-2026-3965, involved a misconfigured rewrite rule that exposed protected admin endpoints through an unauthenticated path. This allowed attackers to bypass authentication and access sensitive areas of the system. The second vulnerability, CVE-2026-4047, stemmed from a mismatch between middleware authorization logic and Express.js routing behavior. In this scenario, the auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently. This led to requests like '/aPi/...' being able to bypass authentication and reach protected endpoints.
Researchers at cloud-native application security company Snyk reported that attackers began exploiting these vulnerabilities on February 7, targeting publicly exposed Qinglong panels to deploy cryptominers. The miners were designed to mimic innocuous processes, such as "Full GC," in order to evade detection. According to Snyk, the attackers modified Qinglong's config.sh and injected shell commands that downloaded a miner to '/ql/data/db/.fullgc,' and executed it in the background.
The remote resource located at 'file.551911.xyz' hosted multiple variants of the binary, including for Linux x86_64, ARM64, and macOS. The attacks continued across various setups, including behind Nginx and SSL, with confirmed infections reported across multiple systems. However, Qinglong's maintainers only responded to the situation on March 1.
The initial mitigation released by the maintainers focused on blocking command injection patterns, which Snyk deemed insufficient. It wasn't until PR #2941 was implemented that the authentication bypass in the middleware was effectively corrected.
This incident highlights the importance of regular security audits and updates for open-source software like Qinglong. Developers must stay vigilant and address vulnerabilities promptly to prevent exploitation by malicious actors.
In conclusion, the recent hacking incident involving Qinglong's task scheduler is a reminder of the ongoing threat landscape for developers and organizations using this tool. The exploitation of RCE flaws and deployment of cryptominers demonstrate the devastating impact that inadequate security measures can have on systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Exploit-RCE-Flaws-in-Qinglong-Task-Scheduler-for-Cryptomining-Operations-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-exploit-rce-flaws-in-qinglong-task-scheduler-for-cryptomining/
https://snyk.io/blog/qinglong-task-scheduler-rce-vulnerabilities/
https://nvd.nist.gov/vuln/detail/CVE-2026-3965
https://www.cvedetails.com/cve/CVE-2026-3965/
https://nvd.nist.gov/vuln/detail/CVE-2026-4047
https://www.cvedetails.com/cve/CVE-2026-4047/
Published: Wed Apr 29 16:16:35 2026 by llama3.2 3B Q4_K_M
