CVE-2026-48687
published 2026-05-26CVE-2026-48687: FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.65%
73.5th percentile
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pavel-odintsov | fastnetmon | <= 1.2.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for execution of fastnetmon_juniper.php with unexpected or shell-metacharacter-containing arguments in argv[1], argv[2], or argv[3] (attack IP, direction, power). Unsanitized input is passed directly into exec() shell commands. ↗
- →Alert on PHP process (php/php-cli) spawning child processes (e.g., via exec()) from the path src/juniper_plugin/fastnetmon_juniper.php, especially where the child process is not simply 'echo' or 'date' but contains shell metacharacters (`;`, `|`, `$()`, backticks). ↗
- →Detect direct invocation of fastnetmon_juniper.php outside of FastNetMon's C++ core (e.g., by orchestration systems or manual execution), as the PHP script performs no input validation or shell escaping and is exploitable when called with attacker-controlled arguments. ↗
- →Flag FastNetMon Community Edition installations at version 1.2.9 or below for the presence of the vulnerable Juniper plugin file and audit whether the plugin is reachable by non-core callers. ↗
- ·The vulnerability is only safely mitigated when the PHP script is exclusively invoked by FastNetMon's C++ core using inet_ntoa()-sourced IP addresses (dotted-decimal only). Any direct invocation, orchestration-system call, or future code change that passes string-sourced IPs reintroduces exploitability. ↗
- ·The recommended fix is to replace exec() with file_put_contents() for logging, or to apply escapeshellarg() to all parameters ($msg and $FILE_LOG_TMP) before passing them to exec(). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
FastNetMon Community Edition up to 1.2.9 fastnetmon_juniper.php _log msg os command injection (Nessus ID 321184)
vuldb·2026-06-19·CVSS 9.8
CVE-2026-48687 [CRITICAL] FastNetMon Community Edition up to 1.2.9 fastnetmon_juniper.php _log msg os command injection (Nessus ID 321184)
A vulnerability labeled as critical has been found in FastNetMon Community Edition up to 1.2.9. Affected by this vulnerability is the function _log of the file src/juniper_plugin/fastnetmon_juniper.php. Executing a manipulation of the argument msg can lead to os command injection.
This vulnerability is tracked as CVE-2026-48687. The attack is only possible within the local network. No exploit exists.
GHSA
GHSA-qx97-6jw5-h44w: FastNetMon Community Edition through 1
ghsa_unreviewed·2026-05-26
CVE-2026-48687 [CRITICAL] CWE-78 GHSA-qx97-6jw5-h44w: FastNetMon Community Edition through 1
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin [fedora-all]
bugzilla·2026-05-28·CVSS 9.8
CVE-2026-48687 [CRITICAL] CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin [fedora-all]
CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin [epel-all]
bugzilla·2026-05-28·CVSS 9.8
CVE-2026-48687 [CRITICAL] CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin [epel-all]
CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin
bugzilla·2026-05-26·CVSS 9.8
CVE-2026-48687 [CRITICAL] CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin
CVE-2026-48687 fastnetmon: OS command injection in the Juniper router integration plugin
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input valida
2026-05-26
Published