1-Click Oracle Cloud Code Editor RCE Vulnerability Lets Attackers Upload Malicious Files

A critical Remote Code Execution (RCE) vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor that allowed attackers to silently hijack victim Cloud Shell environments through a single click. 

The vulnerability, now remediated, affected Code Editor’s integrated services, including Resource Manager, Functions, and Data Science, demonstrating how seemingly isolated cloud development tools can become attack vectors.

Key Takeaways
1. Oracle Cloud Code Editor's file upload lacked CSRF protection, allowing 1-click malicious file uploads.
2. Enabled Remote Code Execution and potential compromise of integrated OCI services.
3. Oracle added mandatory X-CSRF-Token headers to prevent cross-origin attacks.

Oracle Code Editor Vulnerability

The vulnerability stemmed from Oracle Code Editor’s deep integration with Cloud Shell, where both services share the same underlying file system and user session context.

While this tight coupling was designed to provide a seamless developer experience, it created an unexpected attack surface that researchers exploited.

Tenable’s investigation began with a simple question: if developers can upload files easily through Code Editor, could attackers do the same? This led to the discovery of a /file-upload endpoint in Code Editor that lacked Cross-Site Request Forgery (CSRF) defenses, unlike Cloud Shell’s properly secured upload mechanism.

The critical component at the heart of this vulnerability was the Cloud Shell router (router.cloudshell.us-ashburn-1.oci.oraclecloud.com), which accepted HTTP POST requests containing multipart/form-data payloads. 

The router used a CS-ProxyChallenge cookie configured with SameSite=None attribute, offering no protection against cross-site requests from authenticated users.

The exploitation path was remarkably straightforward. Attackers could create malicious HTML pages that, when visited by authenticated OCI users, would automatically upload malicious files to the victim’s Cloud Shell environment without their knowledge.

The attack utilized a crafted HTTP request:

Researchers demonstrated how attackers could override .bashrc files to establish reverse shells, gaining interactive access to Cloud Shell and leveraging victim credentials for lateral movement across OCI services using the OCI CLI.

Protection Measures

Oracle responded to the vulnerability by implementing additional security measures, specifically requiring a custom HTTP header x-csrf-token with value csrf-value for all relevant requests. 

This change effectively mitigates CSRF attacks since browsers cannot automatically include custom headers in cross-origin requests without proper CORS configuration. The vulnerability’s impact extended beyond Cloud Shell to Code Editor’s integrated services. 

Since these services operate on the same shared file system, malicious payloads could compromise Resource Manager workspaces, Functions deployments, and Data Science environments, creating a multi-surface threat across OCI’s developer toolkit.

This incident highlights the security challenges inherent in cloud service integrations, where convenience features can inadvertently expand attack surfaces beyond their intended scope.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now