Description
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
Published: 2026-05-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition versions up to 1.2.9 include an OS command injection flaw in the Juniper router integration plugin. The PHP _log() function builds shell commands by concatenating user‑supplied data directly into exec() calls without sanitization, allowing an attacker to inject arbitrary shell commands. If exploited, the attacker could execute any privilege‑baked command on the host, compromising confidentiality, integrity, and availability of the system.

Affected Systems

FastNetMon Community Edition, including the Juniper integration plugin, is affected for all releases through version 1.2.9. The vulnerability is present in the PHP script located in src/juniper_plugin/fastnetmon_juniper.php and relies on command‑line inputs passed as argv[1] through argv[3].

Risk and Exploitability

The flaw enables arbitrary command execution, which is a high‑impact exploitation. Since the PHP script can be invoked directly or by orchestration systems, the attack vector is both local and potentially remote if the script is exposed. The vulnerability does not appear in the CISA KEV catalog and no EPSS score is available, but the absence of input validation and shell escaping makes exploitation straightforward for an attacker with access to the execution environment.

Generated by OpenCVE AI on May 26, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastNetMon to a version newer than 1.2.9 where the Juniper plugin has been fixed.
  • If an upgrade is not immediately possible, edit src/juniper_plugin/fastnetmon_juniper.php to replace exec() calls with file_put_contents() or wrap the $msg variable in escapeshellarg().
  • Configure the system so that the PHP script cannot be executed directly or accessed by untrusted processes; restrict its execution to the FastNetMon core only.

Generated by OpenCVE AI on May 26, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FastNetMon Juniper Plugin
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-78
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T14:49:49.999Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48687

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T16:16:26.800

Modified: 2026-05-26T16:16:26.800

Link: CVE-2026-48687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:30:10Z

Weaknesses