CVE-2026-38945

Vulnerability

Raynet rvia (RayVentory Scan Engine) version 12.6 Update 8 and earlier contains a command injection vulnerability in its Java detection routine. When the oracle option is invoked, rvia executes a find command to locate Java installations. The command improperly terminates the exclusion list for directories such as /tmp by omitting a trailing * character. This allows a crafted directory structure (e.g., /tmp/jdk/bin/java) to match the search criteria and be executed as a Java binary. The affected command is: /bin/sh -c "find / -not \( -path '/dev' -o -path '/etc' -o -path '/mnt' -o -path '/tmp' -o -path '/proc' \) ..." [1][2].

Exploitation

An attacker with write access to a world-writable directory (e.g., /tmp) can create a malicious binary at a path that matches the search pattern, such as /tmp/jdk/bin/java. The oracle option is commonly run as a cron job, providing a reliable trigger. When rvia executes the find command, it locates the attacker-controlled binary and runs java -version, executing the malicious payload. No authentication is required beyond the ability to write to the target directory [2].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the rvia process, typically root or a highly privileged user. This can lead to full system compromise, including data exfiltration, installation of backdoors, or lateral movement within the network. The vulnerability is rated High with a CVSS v3 score of 7.8 [1][2].

Mitigation

As of the publication date (2026-05-27), Raynet has not released a patched version. The advisory RSEC200967 has been issued, but no fix is publicly available. Administrators should monitor Raynet's security updates for a patch. As a workaround, avoid running the oracle option as a cron job, or restrict write access to world-writable directories like /tmp to prevent unauthorized file creation [2].