top of page
perceptive_background_267k.jpg

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1…

Published:

29 april 2026 om 22:00:00

Alert date:

30 april 2026 om 21:02:39

Source:

nvd.nist.gov

Click to open the original link from this advisory

Cloud & Virtualization, Operating Systems

CVE-2026-7461 is a command injection vulnerability in Amazon ECS Agent for Windows versions before 1.103.0. The vulnerability exists in the FSx Windows File Server volume mounting component where improper input neutralization allows remote authenticated attackers to execute shell commands with SYSTEM privileges. The attack vector requires specially crafted username fields in ECS task definitions and permissions to register task definitions or write to Secrets Manager/SSM Parameter Store. This critical vulnerability provides privilege escalation to SYSTEM level on the underlying Windows host. Remediation requires upgrading to Amazon ECS Agent version 1.103.0 or later.

Technical details

Mitigation steps:

Affected products:

Amazon ECS Agent
FSx Windows File Server

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-7461
https://aws.amazon.com/security/security-bulletins/2026-024-aws/
https://github.com/aws/amazon-ecs-agent/releases/tag/v1.103.0

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page