30.04.2026
3 min
185
Hackers are actively exploiting two critical vulnerabilities in the open-source Qinglong task scheduler to gain remote access to servers and run cryptominers. The attacks began before the issue was publicly disclosed and have been ongoing since at least early February 2026.
Hackers have been actively taking advantage of two severe vulnerabilities in the use of Qinglong in order to gain root access to the servers and then run cryptominers on those servers. Researchers report that these exploits started in early February, well before the problems were disclosed.
It is a very common open-source tool used for task automation that is commonly used with its own servers. It has thousands of implementations and a high rating on GitHub, primarily being utilized by developers, especially within the Chinese development community.
A combination of the two identified vulnerabilities creates a situation in which there is no protection at all (i.e., full bypass) and execution of arbitrary code can occur on the server. Both vulnerabilities exist in versions of Qinglong prior to version 2.20.1:
CVE-2026-3965 provides unauthorized access to administrative endpoints through the misuse of URL rewriting;
CVE-2026-4047 provides unauthorized access to administrative endpoints by improperly implementing case insensitive functionality for authentication purposes.
Snyk describes the issue as follows:
“Both issues stem from the differences in how the security middleware assumes that certain URL’s will be handled versus what actually occurs when Express.js processes such URLs.”
They further describe it as follows:
“The authentication layer assumed that certain URL patterns would always be processed in a single way. However, Express.js would handle some of these patterns differently than the authentication layer expected.”
Therefore, attackers took advantage of the inconsistencies between the functioning of both the security system and request routing.
Users initially recognized that something was amiss because they saw a strange process called .fullgc, which was consuming nearly 100% of their CPUs.
Initially, it was users that discovered this activity. Users discovered that Qinglong had installed a malicious process called “.fullgc”, and it consumed anywhere from 85% to 100% of their CPU power.
Attackers stored various versions of miners on the .551911.xyz server; each version was designed for a specific operating system (including Linux, ARM, and macOS). Additionally, this attack was not contained. There were reports of infections occurring across multiple networks, which included Nginx and SSL. This clearly demonstrated the breadth of the campaign.
Finally, in early March Qinglong developers acknowledged the problem and recommended that all users immediately update their implementation. Unfortunately, their initial response to fix the vulnerability was insufficient. Their attempt to address the vulnerability was focused solely on filtering commands, as noted by Snyk, was ineffective.
