DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FC67-C4HG-Q653: CVE-2026-7461: OS Command Injection in Amazon ECS Agent for Windows via FSx Volume Credentials

#security #cve #cybersecurity

CVE-2026-7461: OS Command Injection in Amazon ECS Agent for Windows via FSx Volume Credentials

Vulnerability ID: GHSA-FC67-C4HG-Q653
CVSS Score: 7.2
Published: 2026-05-07

A high-severity OS command injection vulnerability exists in the Amazon ECS Agent for Windows (versions 1.47.0 to 1.102.0) that permits an authenticated attacker with task definition creation privileges to execute arbitrary commands as the SYSTEM user via crafted FSx Windows File Server volume credentials.

TL;DR

The Amazon ECS Agent for Windows improperly neutralizes user input when mounting FSx Windows File Server volumes. Attackers with task definition privileges can inject shell metacharacters into the username field, leading to OS command execution as SYSTEM. Administrators must upgrade to version 1.103.0.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: OS Command Injection
  • CWE ID: CWE-78
  • CVSS v3.1 Base Score: 7.2 (High)
  • Attack Vector: Network
  • Privileges Required: High (Task Definition Registration)
  • Impact: SYSTEM-level Arbitrary Code Execution
  • Exploit Maturity: Proof of Concept
  • Fixed Version: 1.103.0

Affected Systems

  • Amazon ECS Agent (Windows)
  • Amazon FSx for Windows File Server Integration
  • Amazon ECS Agent (Windows): >= 1.47.0, < 1.103.0 (Fixed in: 1.103.0)

Mitigation Strategies

  • Upgrade the Amazon ECS Agent to version 1.103.0 or later on all Windows instances.
  • Audit and enforce least privilege IAM policies for 'ecs:RegisterTaskDefinition' and 'ecs:RunTask' actions.
  • Implement CloudTrail monitoring to detect shell metacharacters in volume configuration credential fields.

Remediation Steps:

  1. Open an administrative PowerShell session on the target Windows container instance.
  2. Stop the ECS service using the command: Stop-Service -Name "ecs".
  3. Download the latest agent zip file using: Invoke-WebRequest -Uri https://s3.us-east-1.amazonaws.com/amazon-ecs-agent-us-east-1/amazon-ecs-agent-latest.zip -OutFile agent.zip.
  4. Extract the archive using: Expand-Archive -Path agent.zip -DestinationPath .
  5. Verify the version using: ./amazon-ecs-agent.exe -version.
  6. Restart the ECS service using: Start-Service -Name "ecs".

References

Read the full report for GHSA-FC67-C4HG-Q653 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)