CVE-2026-30120

Remotion RCE via Code Injection (CVE-2026-30120)

Execution Persistence Lateral Movement Last updated:

Detects exploitation of CVE-2026-30120, a critical remote code execution vulnerability in the Remotion npm package (versions < 4.0.410). The vulnerability stems from improper code injection controls (CWE-94), allowing attackers to execute arbitrary code in environments running vulnerable Remotion versions. A public PoC exists, elevating exploitation risk.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
npm
Product
remotion
Versions
< 4.0.410

Weakness (CWE)

CWE-94

Timeline

Disclosed
June 15, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-30120 Remotion RCE via Code Injection (CVE-2026-30120)?

Remotion RCE via Code Injection (CVE-2026-30120) (CVE-2026-30120) maps to the Execution and Persistence and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Remotion RCE via Code Injection (CVE-2026-30120), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement
Microsoft Sentinel / Defender
kusto 
let RemotionRCEIndicators = dynamic(['remotion', '@remotion/', 'remotion-dev']);
let SuspiciousNodePatterns = dynamic(['child_process', 'eval(', 'Function(', 'execSync', 'spawnSync', 'exec(']);
union DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine has_any (RemotionRCEIndicators) or InitiatingProcessCommandLine has_any (RemotionRCEIndicators))
| where ProcessCommandLine has_any (SuspiciousNodePatterns) or FileName in~ ('node', 'npx') and ProcessCommandLine has_any (SuspiciousNodePatterns)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, FileName, FolderPath, RemoteIP, RemotePort
| order by Timestamp desc

Detects Node.js process activity associated with Remotion that includes code injection patterns indicative of CVE-2026-30120 exploitation. Looks for child_process, eval, or exec usage spawned in the context of Remotion.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Azure Monitor

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

  • Legitimate Remotion video rendering pipelines that invoke child processes as part of normal operation
  • Development environments where developers are testing Remotion rendering locally
  • CI/CD pipelines that run Remotion rendering as part of automated build and deploy workflows

Sigma rule & cross-platform mapping

The detection logic for Remotion RCE via Code Injection (CVE-2026-30120) (CVE-2026-30120) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-30120 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-30120

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Remotion Code Injection via eval()

    Expected signal: Process launch event for node with command line containing 'remotion' and 'eval('. Child process event for 'id' command spawned from node. File creation event for /tmp/cve_2026_30120_test.txt.

  2. Test 2Simulate Remotion execSync Child Process Spawn

    Expected signal: Process event for node with title 'remotion-renderer'. child_process module load. Execution of 'whoami'. File write to /tmp/remotion_rce_test.txt.

  3. Test 3Simulate Remotion RCE on Windows via spawnSync

    Expected signal: DeviceProcessEvents entry for node.exe with 'remotion' and 'spawnSync' in CommandLine. Child process event for cmd.exe spawned from node.exe. File write event for remotion_rce_test.txt in TEMP directory.

Unlock Pro Content

Get the full detection package for CVE-2026-30120 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1059.007JavaScriptT1190Exploit Public-Facing ApplicationT1203Exploitation for Client Execution

Same Tactic: Execution

Popular Detections