cbcvebase.
CVE-2026-48687
published 2026-05-26

CVE-2026-48687: FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.65%
73.5th percentile
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.

Affected

1 ranges
VendorProductVersion rangeFixed in
pavel-odintsovfastnetmon<= 1.2.9

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/juniper_plugin/fastnetmon_juniper.php
commandexec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP)
  • Monitor for execution of fastnetmon_juniper.php with unexpected or shell-metacharacter-containing arguments in argv[1], argv[2], or argv[3] (attack IP, direction, power). Unsanitized input is passed directly into exec() shell commands.
  • Alert on PHP process (php/php-cli) spawning child processes (e.g., via exec()) from the path src/juniper_plugin/fastnetmon_juniper.php, especially where the child process is not simply 'echo' or 'date' but contains shell metacharacters (`;`, `|`, `$()`, backticks).
  • Detect direct invocation of fastnetmon_juniper.php outside of FastNetMon's C++ core (e.g., by orchestration systems or manual execution), as the PHP script performs no input validation or shell escaping and is exploitable when called with attacker-controlled arguments.
  • Flag FastNetMon Community Edition installations at version 1.2.9 or below for the presence of the vulnerable Juniper plugin file and audit whether the plugin is reachable by non-core callers.
  • ·The vulnerability is only safely mitigated when the PHP script is exclusively invoked by FastNetMon's C++ core using inet_ntoa()-sourced IP addresses (dotted-decimal only). Any direct invocation, orchestration-system call, or future code change that passes string-sourced IPs reintroduces exploitability.
  • ·The recommended fix is to replace exec() with file_put_contents() for logging, or to apply escapeshellarg() to all parameters ($msg and $FILE_LOG_TMP) before passing them to exec().
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.