What Is Remote Code Execution (RCE)?
Remote code execution (RCE) is a vulnerability that lets an attacker run their own code on a target system from a remote location. It is one of the most severe vulnerability classes, because it can hand an attacker control of the application or the host. RCE almost always chains from another flaw, such as injection or unsafe deserialization, that reaches a code-execution sink.

What is remote code execution?
Remote code execution is a class of vulnerability that lets an attacker run arbitrary code on a system they do not control, from across a network. Instead of only reading data or crashing a service, the attacker gets the target to execute instructions of their choosing. That is why RCE consistently rates among the most severe flaws in any scoring system: once an attacker can run code, they can often move to full control of the application, the container, or the host.
RCE is rarely a single bug on its own. It is usually the end of a chain: untrusted input enters the application, passes through a weakness that was never meant to run code, and reaches a function that executes it. Understanding RCE means understanding that chain.
How RCE attacks work
Every RCE follows the same shape. Attacker-controlled input reaches a dangerous sink, a place in the code where data is turned into executable instructions. The vulnerability is whatever lets untrusted input travel to that sink without being neutralized. The exploit is the crafted input that runs once it arrives.
Because the mechanism is a data-to-execution path, RCE is most dangerous in code that accepts external input and has a legitimate reason to evaluate, deserialize, or spawn something. The attacker does not need a special channel. They only need their input to reach the sink.
Common causes of remote code execution
- Command injection. User input is passed into a system shell or process call without proper separation, so the attacker's text becomes part of the command (CWE-78).
- Unsafe deserialization. The application rebuilds objects from untrusted serialized data, and crafted data triggers code during or after deserialization (CWE-502).
- Expression-language and template injection. Input is evaluated by an expression engine or template renderer. Server-side template injection (SSTI) is a common route to RCE.
- Unsafe code evaluation. Functions that evaluate strings as code receive untrusted input (CWE-94).
- Unrestricted file upload. An attacker uploads an executable file that the server later runs.
Many of the highest-profile CVEs of recent years are RCE chains of exactly these kinds. For real examples across ecosystems, see the CVE archive.
Why most critical RCE findings are not actually exploitable
A scanner flags an RCE-class CVE by its presence in your dependencies or code. That is not the same as risk. An RCE vulnerability only matters if the vulnerable code path is actually reachable and executes in your running application. A critical RCE in a library you import but never call on that path is not an urgent problem. A lower-scored issue on a code path that runs on every request may be.
This is the gap between theoretical severity and operational risk. Reachability analysis and runtime intelligence close it by confirming which vulnerable paths actually load and execute, so an RCE backlog becomes the short list that genuinely threatens the application.
How to prevent and detect RCE
Prevention is about keeping untrusted input away from execution sinks: validate and constrain input, avoid passing data to shells or evaluators, use safe deserialization, run with least privilege, and sandbox anything that must handle external content. These reduce how often a data-to-execution path exists at all.
Detection is the other half, because zero-days and logic flaws will slip past prevention. The goal is to catch an RCE at the moment it begins to execute, not after data has left. That is the role of application detection and response (ADR): it watches how the application actually executes and flags the moment behavior crosses from normal into an exploit, paired with runtime application protection to respond. Prevention plus runtime detection is what keeps an RCE from becoming an incident.
Frequently Asked Questions
Remote code execution (RCE) is a vulnerability that lets an attacker run their own code on a target system from a remote location. It is one of the most severe vulnerability classes because it can lead to full control of the application or host.
Attacker-controlled input reaches a dangerous sink, a place where data is turned into executable instructions, through a weakness such as command injection, unsafe deserialization, or expression-language injection. The crafted input then runs.
Code injection is a mechanism, untrusted input being interpreted as code. Remote code execution is the outcome, the attacker running code on the system, often achieved through injection but also through deserialization, file upload, or other paths.
A CVE is flagged by presence in code or dependencies, not by whether the vulnerable path runs. An RCE only matters if it is reachable and executes in your application, which is why runtime reachability, not severity alone, should drive prioritization.
Keep untrusted input away from execution sinks: validate input, avoid passing data to shells or evaluators, use safe deserialization, apply least privilege, and sandbox untrusted content. Then detect exploitation at runtime to catch what prevention misses.
Related blogs

What is an LLM Jailbreak?
An LLM jailbreak bypasses a model's safety guardrails to produce restricted output. How jailbreaks work, how they differ from prompt injection, and defenses.
4
Stop the waste.
Protect your environment with Kodem.
A Primer on Runtime Intelligence
See how Kodem's cutting-edge sensor technology revolutionizes application monitoring at the kernel level.
Platform Overview Video
Watch our short platform overview video to see how Kodem discovers real security risks in your code at runtime.
The State of the Application Security Workflow
This report aims to equip readers with actionable insights that can help future-proof their security programs. Kodem, the publisher of this report, purpose built a platform that bridges these gaps by unifying shift-left strategies with runtime monitoring and protection.
.avif)
Get real-time insights across the full stack…code, containers, OS, and memory
Watch how Kodem’s runtime security platform detects and blocks attacks before they cause damage. No guesswork. Just precise, automated protection.



