CRITICAL🇵🇱 Wersja polska

CVE-2026-48687

CVSS 9.8pub. 2026-05-26upd. 2026-05-27

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.

🤖 AI Analysis
How it works

The _log() function in src/juniper_plugin/fastnetmon_juniper.php file (lines 117–118) constructs shell commands by directly concatenating the $msg parameter with the exec() call: exec("echo `date` \"- [FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unvalidated data from command-line arguments argv[1]–argv[3], which represent the attack IP address, traffic direction, and attack strength. The PHP script performs no input validation or shell argument escaping, enabling arbitrary command injection. The vulnerability is active when the script is invoked directly, called by an external orchestration system, or after any potential future code changes passing data other than safe decimal-dot notation.

Impact

An attacker who can control arguments passed to the PHP script can execute arbitrary system commands in the context of the process permissions, which may lead to full server takeover, data disclosure, and violation of system integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to references. As a temporary workaround, it is recommended to replace the exec() call with file_put_contents() function or apply escapeshellarg() to all input parameters. You should also restrict the ability to directly invoke the PHP script by unauthorized systems or users.

Who is affected

FastNetMon Community Edition versions up to 1.2.9 (inclusive), with active Juniper plugin integration (file src/juniper_plugin/fastnetmon_juniper.php)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Pavel Odintsov Fastnetmon

    APP
    Pavel-Odintsov
    ≤ 1.2.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-48691CRITICAL9.8PL ✓ten sam produkt

FastNetMon: integer overflow w enkodowaniu BGP AS_PATH prowadzący do heap buffer overflow

CVE-2026-48686CRITICAL9.8PL ✓ten sam produkt

Stack buffer overflow w FastNetMon — RCE przez BGP NLRI

CVE-2026-48689CRITICAL9.8PL ✓ten sam produkt

FastNetMon: off-by-one heap buffer overflow umożliwiający RCE

CVE-2026-48690HIGH7.1ten sam produkt

FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture bu...

CVE-2026-48688HIGH7.5ten sam produkt

FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6...