Skip to main content

FastNetMon EUVDEUVD-2026-31843

| CVE-2026-48687 CRITICAL
OS Command Injection (CWE-78)
2026-05-26 mitre GHSA-qx97-6jw5-h44w
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 27, 2026 - 19:39 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
9.8 (CRITICAL)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.

AnalysisAI

OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

The affected component is a PHP helper script that FastNetMon uses to integrate with Juniper routers for automated DDoS/blackhole actions. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command). At lines 117-118 the _log() function builds a logging command via string concatenation - exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP) - passing it to PHP's exec(). Because PHP exec() invokes a system shell, both the embedded backtick date and any shell metacharacters in $msg (e.g. ;, |, $(), backticks) are interpreted, not treated as literal text. No escapeshellarg(), escapeshellcmd(), or input validation is applied to the argv-derived parameters. The CPE string supplied (cpe:2.3:a:n/a:n/a:*) is a placeholder and contributes no usable product/version data.

RemediationAI

No vendor-released patch (fixed version) is identified at time of analysis; the references point to the source repository and a research blog rather than a tagged release or merged fix commit. The researcher-recommended code fix is to stop using exec() for logging - write the log line with file_put_contents() instead - or, if exec() must remain, wrap every parameter ($msg and the argv-derived IP/direction/power values) in escapeshellarg() and validate that the IP is well-formed dotted-decimal before use. Until an upstream fix is available, apply compensating controls: restrict filesystem and execution permissions so only the FastNetMon service account can invoke fastnetmon_juniper.php (prevents direct/manual invocation with crafted arguments, with no functional side effect); do not connect this plugin to any external orchestration layer that could pass unvalidated or string-sourced IPs (may require reworking custom automation); and add input validation/allowlisting on any wrapper that calls the script. Track the upstream repository and the advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-48687 for a patched release.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-31843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy