Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
AnalysisAI
OS command injection in FastNetMon Community Edition (through 1.2.9) lets attacker-controlled input reach an unescaped exec() call inside the Juniper router integration plugin, enabling arbitrary shell command execution on the host. The flaw lives in the _log() function of src/juniper_plugin/fastnetmon_juniper.php, where the $msg argument (built from argv[1]-argv[3]: attack IP, direction, power) is concatenated directly into a shell command. Although rated CVSS 9.8, practical exploitation is gated: FastNetMon's C++ core currently feeds IPs through inet_ntoa(), which only yields safe dotted-decimal strings, so injection requires the script to be driven directly or by a third-party orchestrator. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
The affected component is a PHP helper script that FastNetMon uses to integrate with Juniper routers for automated DDoS/blackhole actions. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command). At lines 117-118 the _log() function builds a logging command via string concatenation - exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP) - passing it to PHP's exec(). Because PHP exec() invokes a system shell, both the embedded backtick date and any shell metacharacters in $msg (e.g. ;, |, $(), backticks) are interpreted, not treated as literal text. No escapeshellarg(), escapeshellcmd(), or input validation is applied to the argv-derived parameters. The CPE string supplied (cpe:2.3:a:n/a:n/a:*) is a placeholder and contributes no usable product/version data.
RemediationAI
No vendor-released patch (fixed version) is identified at time of analysis; the references point to the source repository and a research blog rather than a tagged release or merged fix commit. The researcher-recommended code fix is to stop using exec() for logging - write the log line with file_put_contents() instead - or, if exec() must remain, wrap every parameter ($msg and the argv-derived IP/direction/power values) in escapeshellarg() and validate that the IP is well-formed dotted-decimal before use. Until an upstream fix is available, apply compensating controls: restrict filesystem and execution permissions so only the FastNetMon service account can invoke fastnetmon_juniper.php (prevents direct/manual invocation with crafted arguments, with no functional side effect); do not connect this plugin to any external orchestration layer that could pass unvalidated or string-sourced IPs (may require reworking custom automation); and add input validation/allowlisting on any wrapper that calls the script. Track the upstream repository and the advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-48687 for a patched release.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31843
GHSA-qx97-6jw5-h44w