Skip to main content

Raynet rvia CVE-2026-38945

HIGH
Command Injection (CWE-77)
2026-05-27 cve@mitre.org
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:08 vuln.today

DescriptionCVE.org

Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command.

AnalysisAI

Local arbitrary code execution in Raynet rvia 12.6 Update 8 and earlier lets a low-privileged local user inject operating-system commands through the application's Java search feature, which assembles a find command from an attacker-controlled path without properly terminating the search criteria (CWE-77 OS command injection). A working proof-of-concept exploit script is publicly available on GitHub (Wise-Security/CVE-2026-38945), and CISA's SSVC framework rates the technical impact as total, though it marks the issue as not automatable and requiring local access. No EPSS score and no CISA KEV listing were supplied, so there is no public exploit identified as actively exploited at time of analysis.

Technical ContextAI

The flaw is a classic OS command injection (CWE-77) in rvia, a Raynet management/inventory product that performs a 'Java search' - scanning the host filesystem to discover Java installations or related artifacts. To do this it shells out to the Unix find utility, embedding a search path or pattern into the command line. Because the search criteria are 'improperly terminated' (the path argument is not correctly quoted, escaped, or delimited before being passed to the shell), a path string containing shell metacharacters or an unterminated criterion breaks out of the intended find argument and is interpreted as additional shell commands. This is the canonical pattern in which untrusted input concatenated into a command string is executed by a shell interpreter rather than treated as inert data. No CPE strings were provided in the source data, so the exact platform/edition enumeration cannot be confirmed beyond the vendor product name and version in the MITRE description; the reliance on find strongly implies a Unix/Linux deployment context.

Affected ProductsAI

Raynet rvia version 12.6 Update 8 and all previous versions are affected, per the MITRE-supplied description. No CPE strings were included in the intelligence data, so an authoritative configuration match cannot be provided, and no fixed version was listed. Vendor information and advisories should be sought through the Raynet support portal at https://support.raynet.de/, with vulnerability and proof-of-concept details published at https://github.com/Wise-Security/CVE-2026-38945.

RemediationAI

No vendor-released patch version was identified in the provided data; check the Raynet support portal (https://support.raynet.de/) for a fixed build above 12.6 Update 8 and apply it once available, as upgrading to a corrected release is the primary fix. Until a patched version is confirmed, restrict local interactive and service access to hosts running rvia so that only trusted administrators can reach the application, since exploitation requires local low-privileged access. Where feasible, prevent untrusted users from creating files or controlling the paths fed into rvia's Java search (for example by tightening filesystem permissions on directories that the search traverses and on any user-writable input locations), and avoid running rvia or its search component with elevated privileges to limit blast radius - noting these controls reduce but do not eliminate the underlying injection. Monitor for anomalous child processes spawned by rvia or its find invocations. Coordinate with Raynet support to validate affected components, and reference the public technical writeup at https://github.com/Wise-Security/CVE-2026-38945 for detection details.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-38945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy