“Remote code execution” is one of those phrases you see in security headlines and probably glaze over. It came up again this weekend when researchers published a working exploit for a FortiSandbox flaw that lets an attacker run commands on the appliance without logging in. If a vendor ever says a flaw allows “unauthenticated RCE,” it’s worth understanding what that actually means for your business.

Remote code execution — RCE for short — means a bad actor can run their own software on a computer they don’t own, over the network, without needing to be physically at the keyboard. Think of it as someone halfway around the world typing commands directly into your server’s terminal. When RCE is unauthenticated, they don’t even need a stolen password — they just need the machine to be reachable and the flaw to be unpatched. A useful analogy: it’s the difference between someone picking the lock on your office door (authenticated) versus walking in because the door was never installed at all (unauthenticated).

Why it matters right now: most RCE flaws target infrastructure an SMB rarely thinks about directly — firewalls, routers, VPN boxes, print servers, backup appliances. These sit on the edge of the network and usually run 24/7. If one gets compromised via an RCE bug, the attacker can pivot into the rest of your environment — file servers, Microsoft 365 tokens stored on workstations, the lot. It’s the most direct route from the public internet to your crown-jewel data.

The practical implication: ask your IT provider two questions. What appliances and edge devices do we run, and how quickly do firmware patches get applied when a critical RCE is disclosed? If the answer to the second is “whenever we get to it,” that’s the gap worth closing. Managed patching should cover firmware, not just Windows updates.