RCE vs ACE vulnerability families



  • Is RCE (Remote Code Execution) just ACE (Arbitrary Code Execution) over a network or is there an example where RCE is not ACE? Is RCE always the more severe of the two (with respect to gaining system admin privileges), or would it depend on what application has the vulnerability (and system privileges that app runs with)?



  • Arbitrary code execution, allows an attacker to run any code target system. Based on the Attack Vector we can divide the arbitrary code execution into two categories: remote and local.

    In general, I would say that remote code execution is more severe as the name suggest can be exploited over the network, which is much more dangerous in those days when everything is interconnected. Of course, there are also other factors like what type of privileges are required, user interaction, attack complexity, etc.

    You can play with NIST CVSS calculator and see how the individual metrics project into the score. The score can be roughly translated into the severity of the vulnerability.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2