THE CIRCUITRYYour one-stop source for all tech news

Home/Tech/Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining

VERIFIEDBy Xavier Rivera· ·1 min read

Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining

Hackers chain two authentication bypass flaws in Qinglong versions 2.20.1 and older for RCE and cryptomining since early February. Snyk reports ongoing attacks on exposed panels, with a proper fix only in recent PR #2941.

Source:BleepingComputer

Post

Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining

TL;DRAI · 60 sec read

Hackers exploit two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers.

Exploitation began in early February 2026, before Snyk researchers publicly disclosed the issues at month's end. Qinglong, a self-hosted time management platform popular among Chinese developers, boasts over 3,200 forks and 19,000 GitHub stars. The flaws affect versions 2.20.1 and older, chainable for remote code execution.

From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

CVE-2026-3965 stems from a misconfigured rewrite rule mapping '/open/*' requests to '/api/*', exposing admin endpoints. CVE-2026-4047 arises because authentication checks treat paths as case-sensitive while Express.js routing is case-insensitive, allowing bypasses like '/aPi/...'. Snyk attributes both to a mismatch between middleware authorization and framework behavior.

Attackers targeted public Qinglong panels starting February 7, injecting shell commands via modified config.sh to download miners from file.551911.xyz. These include Linux x86_64, ARM64, and macOS variants, executed as a hidden '.fullgc' process consuming 85% to 100% CPU—mimicking 'Full GC' to evade detection. Infections hit setups behind Nginx and SSL.

Qinglong maintainers acknowledged the issues on March 1, releasing PR #2924 to block command injection—deemed insufficient by Snyk. The effective fix arrived in PR #2941, correcting the authentication bypass.

EXPERT TAKE

Expert Take: Self-hosted Qinglong admins must upgrade to PR #2941 and restrict public exposure to block these auth bypass chains.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported

DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee

security vulnerability cryptomining

MORE IN TECH

Linux Foundation Debuts Akrites to Speed Up Open Source Vulnerability Fixes

The Linux Foundation launched Akrites on Thursday with 19 founding members including major tech firms and banks to organize remediation of critical open source vulnerabilities before AI-powered attackers can exploit them. The project tackles the reality that fewer than 5% of thousands of AI-identified flaws have received patches by instituting one confidential response team in place of scattered reports.

CISA gives feds until Sunday to patch exploited Cisco and PTC flaws

CISA has ordered federal agencies to patch two critical vulnerabilities in Cisco Unified Communications Manager and PTC Windchill/FlexPLM products by June 28 due to active exploitation. The move underscores the urgency of addressing known exploited flaws in widely used enterprise and industrial software.

Apple Vision Pro and Smart Glasses Chief Paul Meade Departs for OpenAI

Paul Meade, Apple’s VP in charge of Vision Pro and smart glasses development, is leaving for OpenAI’s hardware unit by next week to work on its AI-powered devices. The departure, reported June 26, 2026, continues a pattern of executives exiting Apple for AI rivals and follows a 2025 restructuring of the company’s spatial computing teams.