CVE-2026-7461: Amazon ECS Agent Vulnerability Allows SYSTEM Privilege Escalation

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-78
CVE-2026-7461: Amazon ECS Agent Vulnerability Allows SYSTEM Privilege Escalation

The National Vulnerability Database has detailed CVE-2026-7461, a high-severity vulnerability (CVSS 7.2) affecting the Amazon ECS Agent on Windows. Specifically, the FSx Windows File Server volume mounting component is susceptible to improper input neutralization. This flaw could enable a remote authenticated attacker to execute shell commands with SYSTEM privileges on the underlying host.

Attackers would leverage a specially crafted username field within an ECS task definition. This isn’t a low-bar attack; it requires existing permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. The attacker’s calculus here is privilege escalation post-initial access, turning a limited foothold into full system control.

For defenders, the fix is straightforward: upgrade the Amazon ECS Agent on Windows to version 1.103.0 or later. This is a critical patch for any organization running Windows containers with FSx integration, as the potential for complete host compromise from an authenticated user with specific permissions is a serious risk.

What This Means For You

  • If your organization uses Amazon ECS Agent on Windows with FSx Windows File Server volumes, immediately verify your agent versions. Patch to version 1.103.0 without delay to prevent privilege escalation via CVE-2026-7461. Also, audit permissions around ECS task definition registration and Secrets Manager/SSM Parameter Store access.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1059.003 Windows Command Shell Execution T1548.002 Bypass User Account Control Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.003 Privilege Escalation

CVE-2026-7461: Amazon ECS Agent SYSTEM Privilege Escalation via FSx Volume Mount

Sigma YAML — free preview 
title: CVE-2026-7461: Amazon ECS Agent SYSTEM Privilege Escalation via FSx Volume Mount
id: scw-2026-04-30-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the Amazon ECS agent attempting to mount an FSx volume with potentially malicious parameters, indicative of CVE-2026-7461. This rule specifically targets the interaction between the ECS agent and FSx volume mounting, which is the vector for SYSTEM privilege escalation by exploiting the username field in task definitions.
author: SCW Feed Engine (AI-generated)
date: 2026-04-30
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7461/
tags:
  - attack.privilege_escalation
  - attack.t1059.003
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - 'C:\Program Files\Amazon\ECS\ecs-agent.exe'
      CommandLine|contains:
          - 'mount.exe'
          - 'fsx'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7461 RCE Amazon ECS Agent on Windows before version 1.103.0
CVE-2026-7461 Command Injection FSx Windows File Server volume mounting component
CVE-2026-7461 Privilege Escalation Execute shell commands with SYSTEM privileges
CVE-2026-7461 Command Injection Specially crafted username field in an ECS task definition

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 30, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7429 — The STL Processing Endpoint That Cross-Site Scripting (XSS)

CVE-2026-7429 — SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.6 /⚑ 2 IOCs /⚙ 3 Sigma
Featured

Daily Security Digest — 2026-04-30

20 vulnerability disclosures (3 Critical, 17 High) and 16 curated intelligence stories from 5 sources.

daily-digestvulnerabilityCVEhigh-severityout-of-bounds-1cwe-125path-traversalcwe-23null-pointer-dereferencecwe-476
/SCW Daily Digest /CRITICAL

Chartbrew CVE-2026-40904 Exposes Cross-Project Data in v4.9.0

CVE-2026-40904 — Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version...

vulnerabilityCVEhigh-severitycwe-284
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma