CVE-2026-30120 Splunk · SPL

Detect Remotion RCE via Code Injection (CVE-2026-30120) in Splunk

Detects exploitation of CVE-2026-30120, a critical remote code execution vulnerability in the Remotion npm package (versions < 4.0.410). The vulnerability stems from improper code injection controls (CWE-94), allowing attackers to execute arbitrary code in environments running vulnerable Remotion versions. A public PoC exists, elevating exploitation risk.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("node:process", "osquery:process", "sysmon", "linux:audit", "wineventlog")
| search (process_name="node" OR process_name="npx" OR command_line="*remotion*" OR command_line="*@remotion*")
| where match(command_line, "(child_process|eval\\(|execSync|spawnSync|Function\\(|exec\\()")
| eval risk_score=case(
    match(command_line, "execSync|spawnSync"), 90,
    match(command_line, "child_process"), 80,
    match(command_line, "eval\\(|Function\\("), 85,
    true(), 70
  )
| table _time, host, user, process_name, command_line, parent_process, dest_ip, dest_port, risk_score
| sort - risk_score
critical severity medium confidence

Detects exploitation attempts of CVE-2026-30120 by identifying Node.js processes running Remotion with code injection patterns. Risk scoring is applied based on severity of the injection method detected.

Data Sources

Splunk Enterprise SecurityNode.js logsSysmonLinux Audit

Required Sourcetypes

node:processosquery:processsysmonlinux:auditwineventlog

False Positives & Tuning

  • Legitimate Remotion video rendering tasks that naturally spawn child processes for ffmpeg or browser automation
  • Security testing tools and red team exercises targeting Remotion deployments
  • Package managers (npm, yarn) running Remotion installation or update scripts

Other platforms for CVE-2026-30120

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Remotion Code Injection via eval()

    Expected signal: Process launch event for node with command line containing 'remotion' and 'eval('. Child process event for 'id' command spawned from node. File creation event for /tmp/cve_2026_30120_test.txt.

  2. Test 2Simulate Remotion execSync Child Process Spawn

    Expected signal: Process event for node with title 'remotion-renderer'. child_process module load. Execution of 'whoami'. File write to /tmp/remotion_rce_test.txt.

  3. Test 3Simulate Remotion RCE on Windows via spawnSync

    Expected signal: DeviceProcessEvents entry for node.exe with 'remotion' and 'spawnSync' in CommandLine. Child process event for cmd.exe spawned from node.exe. File write event for remotion_rce_test.txt in TEMP directory.

Last updated: 2026-06-21 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-30120 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1059.007JavaScriptT1190Exploit Public-Facing ApplicationT1203Exploitation for Client Execution

Same Tactic: Execution

Popular Detections