This vulnerability (CVE-2026-7461) involves improper neutralization of inputs used in OS commands (CWE-78) within the FSx Windows File Server volume mounting component of the Amazon ECS Agent on Windows prior to version 1.103.0. An authenticated attacker with specific permissions can exploit a specially crafted username field in an ECS task definition to execute arbitrary shell commands with SYSTEM privileges on the underlying host. The issue requires elevated permissions related to ECS task definition registration or credential management in Secrets Manager or SSM Parameter Store. AWS manages remediation for this cloud service and has released version 1.103.0 to address the issue.

Successful exploitation allows remote authenticated attackers with certain permissions to execute arbitrary shell commands with SYSTEM privileges on the host running the Amazon ECS Agent on Windows. This can lead to full compromise of the host system, including confidentiality, integrity, and availability impacts. The vulnerability has a CVSS 3.1 score of 7.2 (high severity), reflecting network attack vector, low attack complexity, high privileges required, and high impact on confidentiality, integrity, and availability.

AWS manages remediation for this cloud-hosted service. Users should upgrade the Amazon ECS Agent on Windows to version 1.103.0 or later to remediate this vulnerability. Until the upgrade is applied, restrict permissions to register ECS task definitions and to write to Secrets Manager or SSM Parameter Store credentials used by FSx volume configurations to trusted administrators only. Check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-024-aws/ for the latest guidance and confirmation of patch status.