Linux CUPS RCE & Malware Video

Linux print software can still become a remote entry point when auto-discovery trusts the wrong machine on the network. (openprinting.github.io) The issue sits in `cups-browsed`, a helper for the Common Unix Printing System that can automatically find printers and add queues for them. OpenPrinting disclosed the bug chain on September 26, 2024, after moving up the release from October 6, 2024, when details leaked. (openprinting.github.io) In the published exploit path, an attacker sends a packet to port 631, the victim system connects to a fake Internet Printing Protocol server, and malicious printer data is fed into later components. GitHub’s advisory says that chain can end in arbitrary command execution without authentication when a print job starts. (github.com) Ubuntu says CVE-2024-47176 becomes dangerous when paired with CVE-2024-47076, CVE-2024-47175, and the now-rejected CVE-2024-47177. Canonical released fixes for supported Long Term Support releases in September 2024, and its security page shows patched package versions for Ubuntu 24.04 Long Term Support, 22.04 Long Term Support, and older supported releases. (ubuntu.com 1) (ubuntu.com 2) Red Hat said on September 26, 2024 that Red Hat Enterprise Linux shipped with a vulnerable configuration, but the service was disabled by default. Its bulletin said successful exploitation still required `cups-browsed` to be running and a user to print to the malicious device, with code running as the unprivileged `lp` user. (access.redhat.com) That matters beyond office printers because `cups-browsed` is host software, not a printer appliance bug. If it is enabled on internet-reachable or flat internal networks, the exposure sits on Linux servers, desktops, and virtual machines that admins may not think of as print infrastructure. (github.com) (access.redhat.com) The malware side of the video lands in the same place: attackers are still finding Linux hosts through service exposure, then turning them into infrastructure. Darktrace said on April 7, 2026 that a new Chaos variant was seen compromising misconfigured Linux cloud servers after earlier versions focused more on routers and edge devices. (darktrace.com) Darktrace’s honeypot case started with an Apache Hadoop server configured to allow remote code execution through its resource manager endpoint. The intruder used shell commands to fetch a Chaos binary, run it, and delete it from disk, according to Darktrace’s write-up. (darktrace.com) The new Linux sample kept distributed denial-of-service features and added a SOCKS5 proxy mode that can relay traffic through the victim server. Darktrace said the malware also used `systemd` persistence, while Lumen’s Black Lotus Labs has described Chaos since 2022 as a Go-based malware family built for Linux, Windows, routers, and servers. (darktrace.com) (lumen.com) Put together, the two cases describe the same operational problem: a Linux host exposes a service, trusts input it should not trust, and becomes someone else’s tool. The fixes are ordinary ones—patch the packages, disable unused discovery services, and close or harden exposed management endpoints—but the attack path is still current in 2026. (ubuntu.com) (access.redhat.com) (darktrace.com)