CVE-2026-27182
📋 TL;DR
Saturn Remote Mouse Server has a critical command injection vulnerability that allows unauthenticated attackers on the local network to execute arbitrary system commands by sending malicious UDP packets to port 27000. This enables remote code execution under the service account's privileges. Any system running the vulnerable Saturn Remote Mouse Server software is affected.
💻 Affected Systems
- Saturn Remote Mouse Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the host, installing persistent malware, pivoting to other systems, and stealing sensitive data.
Likely Case
Local network attacker executes commands to install cryptocurrency miners, ransomware, or backdoors on vulnerable systems.
If Mitigated
Attack limited to service account privileges with no lateral movement due to network segmentation and proper controls.
🎯 Exploit Status
Exploitation requires only sending specially crafted UDP packets to port 27000. The vulnerability is in JSON parsing that passes unsanitized data to system() or similar execution functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - No vendor patch information available in provided references
Vendor Advisory: https://www.saturnremote.com/ (no specific advisory found)
Restart Required: Yes
Instructions:
1. Check vendor website for security updates. 2. If patch available, download and install. 3. Restart the Saturn Remote Mouse Server service. 4. Verify service is no longer vulnerable.
🔧 Temporary Workarounds
Network Access Control
allBlock UDP port 27000 at network perimeter and segment vulnerable systems
# Windows Firewall: netsh advfirewall firewall add rule name="Block Saturn Remote Mouse" dir=in action=block protocol=UDP localport=27000
# Linux iptables: iptables -A INPUT -p udp --dport 27000 -j DROP
Service Disablement
allDisable Saturn Remote Mouse Server if not required
# Windows: sc stop "SaturnRemoteMouse" && sc config "SaturnRemoteMouse" start=disabled
# Linux systemd: sudo systemctl stop saturn-remote && sudo systemctl disable saturn-remote
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running Saturn Remote Mouse Server
- Deploy host-based firewall rules to block UDP port 27000 except from trusted management systems
🔍 How to Verify
Check if Vulnerable:
Use a UDP scanner to check if port 27000 is open and listening. Test with proof-of-concept exploit if available and authorized.Check Version:
# Check running version through application interface or process informationVerify Fix Applied:
Attempt to send malicious UDP packets to port 27000 and verify no command execution occurs. Monitor service logs for error messages.📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from Saturn Remote Mouse service
- Error messages containing command execution failures
- Unusual network connections originating from the service
Network Indicators:
- UDP traffic to port 27000 containing JSON-like structures with shell metacharacters
- Outbound connections from Saturn Remote Mouse service to suspicious destinations
SIEM Query:
source="saturn_remote.log" AND ("system()" OR "exec()" OR "popen()") OR dest_port=27000 AND protocol=UDP AND payload MATCHES "[|;&$()]"