1-Click Oracle Cloud Code Editor RCE Flaw Allows Malicious File Upload to Shell

Tenable Research has disclosed a critical Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure’s Code Editor that enabled attackers to silently hijack victim Cloud Shell environments through a single malicious link.

The vulnerability, which has since been remediated by Oracle, could have allowed threat actors to pivot across multiple OCI services and compromise integrated developer tools.

Vulnerability Details and Discovery

The security flaw stemmed from a Cross-Site Request Forgery (CSRF) weakness in Oracle’s Code Editor file upload mechanism.

Researchers discovered that the browser-based integrated development environment shared the same underlying file system as Cloud Shell, creating an unexpected attack surface through their tight integration.

The vulnerability centered on a Cloud Shell router component that exposed a /file-upload endpoint lacking proper CSRF protections. The authentication cookie was configured with a SameSite=None attribute, which provided no protection against cross-site requests.

This configuration allowed any external website to trigger file uploads to a victim’s Cloud Shell environment if they were authenticated to Oracle Cloud Infrastructure.

“Our research began with a simple goal: explore Oracle Cloud Infrastructure’s Cloud Shell to better understand its security posture,” explained Tenable researchers. “The danger isn’t always in what you see, it’s often in what’s quietly integrated behind the scenes.”

The attack vector was remarkably simple yet devastating. Attackers could create a malicious HTML page that, when visited by an authenticated OCI user, would silently upload malicious files to sensitive locations like .bashrc.

When victims next initialized Cloud Shell, the malicious code would execute automatically, establishing remote access and potentially allowing lateral movement across OCI services using the victim’s cloud identity.

The proof-of-concept demonstrated how attackers could override shell configuration files to establish reverse shells, gaining interactive access to the victim’s Cloud Shell environment and leveraging OCI CLI capabilities for further compromise.

Beyond Cloud Shell access, the vulnerability posed risks to Code Editor’s integrated services, including Resource Manager, Functions, and Data Science.

Since these services share the same file system environment, attackers could potentially tamper with deployed functions, modify Resource Manager workspaces, or compromise data science workflows, creating a multi-surface threat across OCI’s developer toolkit.

Oracle addressed the vulnerability by implementing additional CSRF protections requiring a custom HTTP header (x-csrf-token) for all relevant requests.

This mitigation effectively blocks unauthorized cross-origin requests since browsers cannot set arbitrary custom headers without proper CORS configuration.

The vulnerability highlights the security challenges posed by tightly integrated cloud services, where convenience features can inadvertently create new attack vectors.

Organizations using Oracle Cloud Infrastructure should ensure their environments are updated with the latest security patches to protect against similar vulnerabilities.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!