Description
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
Published: 2026-05-26
Score: 8.1 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition versions up to 1.2.9 contain an OS command injection flaw in the Juniper router integration plugin. The PHP _log() function builds shell commands by concatenating user‑supplied data directly into exec() calls without sanitization, allowing an attacker to inject arbitrary shell commands. If exploited, the attacker could execute any privilege‑baked command on the host, compromising confidentiality, integrity, and availability of the system.

Affected Systems

FastNetMon Community Edition, including the Juniper integration plugin, is affected for all releases through version 1.2.9. The vulnerability is present in the PHP script located in src/juniper_plugin/fastnetmon_juniper.php and relies on command‑line inputs passed as argv[1] through argv[3].

Risk and Exploitability

The flaw enables arbitrary command execution, with a CVSS score of 8.1 indicating high severity. The likely attack vector is inferred from the description: the exec() call uses unsanitized input from argv[1]–[3], which can originate from external orchestrations or may be supplied directly to the script, suggesting local execution by a privileged or compromised user or remote exposure if the script is reachable from outside. The EPSS score of < 1% indicates a very low but nonzero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The absence of input validation and shell escaping makes exploitation straightforward for an attacker with access to the execution environment.

Generated by OpenCVE AI on May 27, 2026 at 22:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastNetMon to a version newer than 1.2.9 where the Juniper plugin has been fixed.
  • If an upgrade is not immediately possible, edit src/juniper_plugin/fastnetmon_juniper.php to replace exec() calls with file_put_contents() or wrap the $msg variable in escapeshellarg().
  • Configure the system so that the PHP script cannot be executed directly or accessed by untrusted processes; restrict its execution to the FastNetMon core only.

Generated by OpenCVE AI on May 27, 2026 at 22:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FastNetMon Juniper Plugin

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FastNetMon Juniper Plugin
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-78
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T17:23:49.636Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48687

cve-icon Vulnrichment

Updated: 2026-05-27T17:23:41.018Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T16:16:26.800

Modified: 2026-06-17T10:55:10.637

Link: CVE-2026-48687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T23:00:07Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')