Skip to main content

FastNetMon Community Edition EUVDEUVD-2026-31948

| CVE-2026-48694 HIGH
OS Command Injection (CWE-78)
2026-05-26 mitre GHSA-f98m-cp3g-ghc5
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 10:09 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
8.1 (HIGH)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF set-configuration commands at lines 69 and 90 without any validation or sanitization. Line 69: $conn->load_set_configuration("set routing-options static route {$IP_ATTACK} community 65535:666 discard"). Line 90: $conn->load_set_configuration("delete routing-options static route {$IP_ATTACK}/32"). An attacker who can control the IP address string can inject additional Juniper CLI configuration commands by embedding newline characters followed by arbitrary set/delete commands. This could modify the router's routing table, firewall filters, user accounts, or any other configuration element accessible via NETCONF. The impact is full router compromise.

AnalysisAI

Configuration injection in FastNetMon Community Edition through 1.2.9 allows an attacker who controls the attacker IP string passed to the Juniper integration plugin to inject arbitrary Juniper NETCONF set/delete commands, leading to full router compromise. The flaw lives in the PHP-based Juniper plugin where unsanitized argv input is interpolated into NETCONF commands, and although no public exploit identified at time of analysis (EPSS 0.03%), the technical impact is rated total under SSVC and CVSS scores 8.1.

Technical ContextAI

FastNetMon is an open-source DDoS detection toolkit that triggers external mitigation scripts when traffic anomalies are detected; its Juniper integration ships as a PHP script (src/juniper_plugin/fastnetmon_juniper.php) that uses a NETCONF library to push BGP blackhole/static-route commands to Juniper routers. The vulnerability is a textbook CWE-78 (OS Command Injection)-class issue applied to a router configuration channel: at lines 69 and 90 the $IP_ATTACK variable, taken directly from argv[1], is string-interpolated into the load_set_configuration() payload without validation, so embedded newline characters terminate the intended 'set routing-options static route ...' statement and let the attacker append additional set/delete CLI configuration elements that NETCONF will commit. The CPE entry is the placeholder n/a:n/a, reflecting that FastNetMon Community Edition is not yet enumerated in the official CPE dictionary; affected versions must be taken from the description (≤1.2.9) and the upstream GitHub repository pavel-odintsov/fastnetmon.

RemediationAI

No vendor-released patch identified at time of analysis; the references list links to the GitHub project and a third-party advisory but no fixed FastNetMon release. As a compensating control, validate $IP_ATTACK in src/juniper_plugin/fastnetmon_juniper.php with a strict IPv4/IPv6 regex (or PHP filter_var with FILTER_VALIDATE_IP) before passing it to load_set_configuration, rejecting any input containing whitespace, newlines, or NETCONF metacharacters - the trade-off is a local patch that may diverge from upstream. Operationally, restrict which subsystems can invoke the Juniper plugin (run FastNetMon and its callout scripts under a dedicated unprivileged account, lock down the NETCONF user on the router to only the set/delete routing-options static route command set via Juniper login class command-allow/deny regex), so even successful injection cannot reconfigure firewall filters or user accounts; the side effect is that legitimate future additions to the integration may also be blocked and require router-side ACL updates. Track the upstream repository (https://github.com/pavel-odintsov/fastnetmon) and the Lorikeet Security advisory (https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48694-juniper-netconf-injection) for a tagged fix release, and consult NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-48694.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-31948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy