Raynet rvia CVE-2026-38945
HIGHSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.
AnalysisAI
Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a find command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.
Technical ContextAI
The flaw is a classic OS command injection (CWE-77) in rvia, a Raynet management/inventory product that performs a 'Java search' - scanning the host filesystem to discover Java installations or related artifacts. To do this it shells out to the Unix find utility, embedding a search path or pattern into the command line. Because the search criteria are 'improperly terminated' (the path argument is not correctly quoted, escaped, or delimited before being passed to the shell), a path string containing shell metacharacters or an unterminated criterion breaks out of the intended find argument and is interpreted as additional shell commands. This is the canonical pattern in which untrusted input concatenated into a command string is executed by a shell interpreter rather than treated as inert data. No CPE strings were provided in the source data, so the exact platform/edition enumeration cannot be confirmed beyond the vendor product name and version in the MITRE description; the reliance on find strongly implies a Unix/Linux deployment context.
Affected ProductsAI
Raynet rvia version 12.6 Update 8 and all previous versions are affected, per the MITRE-supplied description. No CPE strings were included in the intelligence data, so an authoritative configuration match cannot be provided, and no fixed version was listed. Vendor information and advisories should be sought through the Raynet support portal at https://support.raynet.de/, with vulnerability and proof-of-concept details published at https://github.com/Wise-Security/CVE-2026-38945.
RemediationAI
No vendor-released patch version was identified in the provided data; check the Raynet support portal (https://support.raynet.de/) for a fixed build above 12.6 Update 8 and apply it once available, as upgrading to a corrected release is the primary fix. Until a patched version is confirmed, restrict local interactive and service access to hosts running rvia so that only trusted administrators can reach the application, since exploitation requires local low-privileged access. Where feasible, prevent untrusted users from creating files or controlling the paths fed into rvia's Java search (for example by tightening filesystem permissions on directories that the search traverses and on any user-writable input locations), and avoid running rvia or its search component with elevated privileges to limit blast radius - noting these controls reduce but do not eliminate the underlying injection. Monitor for anomalous child processes spawned by rvia or its find invocations. Coordinate with Raynet support to validate affected components, and reference the public technical writeup at https://github.com/Wise-Security/CVE-2026-38945 for detection details.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today