Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
Home/CyberSecurity News/Critical Qinglong Task Scheduler RCE Flaws Actively Exploited
CyberSecurity News

Critical Qinglong Task Scheduler RCE Flaws Actively Exploited

Key Takeaways Two critical authentication bypass vulnerabilities in the Qinglong task scheduler (CVE-2026-3965 and CVE-2026-4047) are being actively exploited. Unauthenticated attackers are using...

Marcus Rodriguez
Marcus Rodriguez
April 30, 2026 3 Min Read
38 0

Key Takeaways

  • Two critical authentication bypass vulnerabilities in the Qinglong task scheduler (CVE-2026-3965 and CVE-2026-4047) are being actively exploited.
  • Unauthenticated attackers are using these flaws to gain remote code execution and install a cryptominer named “.fullgc.”
  • The cryptomining campaign targets publicly accessible Qinglong instances, particularly those deployed in Docker containers on cloud VPS and home networks.
  • Qinglong versions 2.20.1 and earlier are vulnerable; users must update to the latest patched version immediately.

Early in 2026, cybersecurity researchers identified active exploitation of two severe authentication bypass vulnerabilities impacting the widely used open-source Qinglong task scheduler. These flaws enable unauthenticated attackers to compromise publicly exposed instances, leading to remote code execution and the deployment of a resource-intensive cryptominer.

Table Of Content

  • Key Takeaways
  • Cryptomining Campaign Underway
  • Incident Timeline
  • What You Should Do

According to Snyk security reports, malicious actors have been leveraging these vulnerabilities to breach Qinglong panels, subsequently installing a stealthy cryptominer dubbed “.fullgc.” This malware is designed to consume significant system resources, impacting server performance.

Qinglong is a popular self-hosted dashboard for scheduling tasks, supporting various scripting languages like Python 3 and JavaScript. The platform has garnered substantial traction, especially within the Chinese developer community, boasting over 19,000 stars on GitHub. Many users deploy Qinglong in Docker containers on cloud virtual private servers (VPS) and within home network environments.

Cryptomining Campaign Underway

Around February 7, 2026, system administrators began observing unusual activity on their servers. BleepingComputer highlighted that these incidents were characterized by sudden and sustained CPU spikes, often pushing server capacity to 100%.

Attackers exploited the unpatched vulnerabilities to modify Qinglong’s configuration script, enabling the surreptitious download and installation of the “.fullgc” cryptominer. This malware was cleverly disguised as a Java garbage collection process, a tactic designed to evade immediate detection and prolong its operation while it consumed system resources for illicit cryptocurrency mining.

The exploitation campaign targets two critical vulnerabilities present in Qinglong versions 2.20.1 and earlier. Snyk researchers elucidated that both flaws originate from a fundamental mismatch between the assumptions of the security middleware and the routing behavior of the underlying Express.js framework.

  • CVE-2026-3965, documented in GitHub Issue #2933, stems from an incorrect URL rewrite rule. This rule erroneously maps requests directed to /open/* to the protected /api/* endpoints. Consequently, an attacker can exploit this flaw to reinitialize and reset administrative credentials with a single unauthenticated request.
  • CVE-2026-4047, detailed in GitHub Issue #2934, leverages case-insensitive URL handling. By altering the casing of requests (e.g., sending /aPi/ instead of /api/), attackers can bypass existing protections on /api/ endpoints. Snyk’s vulnerability database indicates that this particular flaw grants direct remote code execution without the prerequisite of resetting credentials.

Incident Timeline

The exploitation of these vulnerabilities initially spread predominantly within developer forums, largely unnoticed by the broader English-speaking cybersecurity community.

  • February 7-8: Initial reports emerge from users detailing severe CPU exhaustion caused by the “.fullgc” cryptominer.
  • February 10: The affected community calls for a public warning as infections become widespread across various deployment configurations.
  • February 27: Security researchers publicly disclose the underlying cause, identifying two distinct authentication bypass vulnerabilities.
  • March 1: The maintainers of the Qinglong platform confirm the security flaws and issue an urgent recommendation for users to apply the latest updates.

Early attempts by the community to mitigate the threat involved filtering malicious inputs via GitHub pull requests. However, these efforts proved insufficient against the fundamental access control vulnerabilities. Ultimately, the maintainers addressed the issue by directly correcting the middleware’s authentication logic to prevent these bypasses.

What You Should Do

  • Update Immediately: All Qinglong users, especially those running versions 2.20.1 or earlier, must update their installations to the latest patched version without delay.
  • Audit for Cryptominer: System administrators should conduct a thorough audit of their Qinglong environments for any hidden “.fullgc” files or processes indicative of compromise.
  • Secure Access: Place any self-hosted Qinglong panels behind a secure VPN or implement strict network access controls to limit exposure to the public internet.
  • Monitor Resources: Implement robust monitoring for unusual CPU usage or other anomalous system behavior that could indicate cryptomining activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitHackerMalwarePatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

KarstoRAT RAT Enables Webcam Monitoring, Audio Recording, Remote Execution

Next Post

CISA Warns of ConnectWise ScreenConnect Vulnerability Exploited in Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us