CVE-2026-0980 is an OS command injection vulnerability identified in the rubyipmi gem, which is a Ruby library used within the Baseboard Management Controller (BMC) component of Red Hat Satellite 6. The vulnerability arises due to improper neutralization of special elements in user-supplied input, specifically in the username field for the BMC interface. An attacker who is authenticated and possesses host creation or update permissions can craft a malicious username that injects operating system commands. This injection flaw allows the attacker to execute arbitrary commands remotely on the system running Red Hat Satellite 6, effectively leading to remote code execution (RCE). The vulnerability has a CVSS 3.1 base score of 8.3, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H), with low impact on availability (A:L). The flaw is particularly dangerous because Red Hat Satellite is widely used for managing large-scale Red Hat Enterprise Linux deployments, and the BMC interface is critical for hardware management and automation. Although no known exploits have been reported in the wild yet, the potential for exploitation is significant due to the ease of exploitation once the attacker has the required permissions. The vulnerability was reserved in January 2026 and published in February 2026, with no patches linked yet, indicating that remediation may still be pending or in progress.

The impact of CVE-2026-0980 is substantial for organizations using Red Hat Satellite 6, especially those relying on BMC for hardware management and automation. Successful exploitation allows attackers to execute arbitrary commands remotely, compromising system confidentiality and integrity by potentially accessing sensitive data, modifying system configurations, or deploying malware. Although availability impact is rated low, attackers could disrupt management operations or cause partial service degradation. Given that exploitation requires authenticated access with host creation or update permissions, insider threats or compromised credentials pose a significant risk. Organizations managing large fleets of servers with Red Hat Satellite could face widespread compromise if attackers leverage this vulnerability. Additionally, attackers could pivot from the compromised Satellite server to other internal systems, escalating the breach impact. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score underscores the urgency of addressing this flaw.

To mitigate CVE-2026-0980, organizations should: 1) Apply official patches from Red Hat as soon as they become available to address the vulnerability in rubyipmi and the BMC component. 2) Restrict host creation and update permissions strictly to trusted administrators to reduce the risk of exploitation by unauthorized users. 3) Implement strong authentication mechanisms and monitor for unusual login patterns or privilege escalations related to Red Hat Satellite. 4) Conduct input validation and sanitization on BMC interface inputs where possible, or deploy web application firewalls (WAFs) with custom rules to detect and block command injection attempts targeting the username field. 5) Regularly audit Red Hat Satellite logs and BMC interface activity for suspicious commands or anomalies. 6) Isolate Red Hat Satellite servers within secure network segments to limit exposure to untrusted networks. 7) Educate administrators about the risks of this vulnerability and the importance of credential security. 8) Consider temporary compensating controls such as disabling BMC interface features if feasible until patches are applied.