THE CIRCUITRYYour one-stop source for all tech news

Home/Tech/Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining

VERIFIEDBy Xavier Rivera· ·1 min read

Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining

Hackers chain two authentication bypass flaws in Qinglong versions 2.20.1 and older for RCE and cryptomining since early February. Snyk reports ongoing attacks on exposed panels, with a proper fix only in recent PR #2941.

Source:BleepingComputer

Post

Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining

TL;DRAI · 60 sec read

Hackers exploit two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers.

Exploitation began in early February 2026, before Snyk researchers publicly disclosed the issues at month's end. Qinglong, a self-hosted time management platform popular among Chinese developers, boasts over 3,200 forks and 19,000 GitHub stars. The flaws affect versions 2.20.1 and older, chainable for remote code execution.

From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

CVE-2026-3965 stems from a misconfigured rewrite rule mapping '/open/*' requests to '/api/*', exposing admin endpoints. CVE-2026-4047 arises because authentication checks treat paths as case-sensitive while Express.js routing is case-insensitive, allowing bypasses like '/aPi/...'. Snyk attributes both to a mismatch between middleware authorization and framework behavior.

Attackers targeted public Qinglong panels starting February 7, injecting shell commands via modified config.sh to download miners from file.551911.xyz. These include Linux x86_64, ARM64, and macOS variants, executed as a hidden '.fullgc' process consuming 85% to 100% CPU—mimicking 'Full GC' to evade detection. Infections hit setups behind Nginx and SSL.

Qinglong maintainers acknowledged the issues on March 1, releasing PR #2924 to block command injection—deemed insufficient by Snyk. The effective fix arrived in PR #2941, correcting the authentication bypass.

EXPERT TAKE

Expert Take: Self-hosted Qinglong admins must upgrade to PR #2941 and restrict public exposure to block these auth bypass chains.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported

DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee

security vulnerability cryptomining

MORE IN TECH

Qualcomm launches Dragonfly C1000 CPU for data centers with Meta as key client

Qualcomm introduced its Dragonfly C1000 data center CPU engineered for agentic AI on Wednesday and confirmed Meta as a customer once production begins in 2028. The announcement underscores the mobile-centric chipmaker's drive into higher-growth data center segments where energy efficiency has become a decisive factor amid surging AI-agent workloads.

Google to lower Play Store fees in US, Europe, UK on June 30

Google is set to implement lower Play Store fees and external payment options in Europe, the UK, and the US starting June 30 as part of its Epic Games settlement. The changes introduce a 10 percent service fee on the first $1 million in annual earnings for small developers and expand globally through 2027.

CISA Warns Hackers Are Actively Exploiting Severe Ubiquiti Flaws

CISA placed three severe Ubiquiti UniFi OS vulnerabilities and one critical Lantronix command injection flaw into its Known Exploited Vulnerabilities catalog on June 23, 2026, after confirming active attacks. Federal agencies must apply patches or mitigations within three days under BOD 26-04, while Bishop Fox demonstrated the Ubiquiti issues can be chained for full remote code execution and released a free detection script.