Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF set-configuration commands at lines 69 and 90 without any validation or sanitization. Line 69: $conn->load_set_configuration("set routing-options static route {$IP_ATTACK} community 65535:666 discard"). Line 90: $conn->load_set_configuration("delete routing-options static route {$IP_ATTACK}/32"). An attacker who can control the IP address string can inject additional Juniper CLI configuration commands by embedding newline characters followed by arbitrary set/delete commands. This could modify the router's routing table, firewall filters, user accounts, or any other configuration element accessible via NETCONF. The impact is full router compromise.
AnalysisAI
Configuration injection in FastNetMon Community Edition through 1.2.9 allows an attacker who controls the attacker IP string passed to the Juniper integration plugin to inject arbitrary Juniper NETCONF set/delete commands, leading to full router compromise. The flaw lives in the PHP-based Juniper plugin where unsanitized argv input is interpolated into NETCONF commands, and although no public exploit identified at time of analysis (EPSS 0.03%), the technical impact is rated total under SSVC and CVSS scores 8.1.
Technical ContextAI
FastNetMon is an open-source DDoS detection toolkit that triggers external mitigation scripts when traffic anomalies are detected; its Juniper integration ships as a PHP script (src/juniper_plugin/fastnetmon_juniper.php) that uses a NETCONF library to push BGP blackhole/static-route commands to Juniper routers. The vulnerability is a textbook CWE-78 (OS Command Injection)-class issue applied to a router configuration channel: at lines 69 and 90 the $IP_ATTACK variable, taken directly from argv[1], is string-interpolated into the load_set_configuration() payload without validation, so embedded newline characters terminate the intended 'set routing-options static route ...' statement and let the attacker append additional set/delete CLI configuration elements that NETCONF will commit. The CPE entry is the placeholder n/a:n/a, reflecting that FastNetMon Community Edition is not yet enumerated in the official CPE dictionary; affected versions must be taken from the description (≤1.2.9) and the upstream GitHub repository pavel-odintsov/fastnetmon.
RemediationAI
No vendor-released patch identified at time of analysis; the references list links to the GitHub project and a third-party advisory but no fixed FastNetMon release. As a compensating control, validate $IP_ATTACK in src/juniper_plugin/fastnetmon_juniper.php with a strict IPv4/IPv6 regex (or PHP filter_var with FILTER_VALIDATE_IP) before passing it to load_set_configuration, rejecting any input containing whitespace, newlines, or NETCONF metacharacters - the trade-off is a local patch that may diverge from upstream. Operationally, restrict which subsystems can invoke the Juniper plugin (run FastNetMon and its callout scripts under a dedicated unprivileged account, lock down the NETCONF user on the router to only the set/delete routing-options static route command set via Juniper login class command-allow/deny regex), so even successful injection cannot reconfigure firewall filters or user accounts; the side effect is that legitimate future additions to the integration may also be blocked and require router-side ACL updates. Track the upstream repository (https://github.com/pavel-odintsov/fastnetmon) and the Lorikeet Security advisory (https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48694-juniper-netconf-injection) for a tagged fix release, and consult NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-48694.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31948
GHSA-f98m-cp3g-ghc5