Description
FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).
Published: 2026-05-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition up to version 1.2.9 writes its statistics to a predictable temporary file named /tmp/fastnetmon.dat using std::ios::trunc without checking for symlinks or using O_NOFOLLOW. The daemon sets the umask to 0 during startup, making all created files world‑writable, and a permissions bug applies incorrect chmod on the file path. A local attacker can create a symlink pointing to any target file and then trigger the statistics write, causing the daemon to truncate the target file as the daemon user, typically root. This allows the attacker to overwrite arbitrary system files with root privileges.

Affected Systems

FastNetMon Community Edition versions 1.2.9 and earlier running on Linux as root are affected. The issue does not exist in later releases where the statistics file path is changed and symlink checks are added.

Risk and Exploitability

The exploit requires the ability to create a symlink in /tmp or local code execution. Because the daemon runs as root, the attack would result in arbitrary file overwrite as root and could lead to full system compromise. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.5 indicates moderate severity for local privilege escalation. The likely attack vector is local.

Generated by OpenCVE AI on May 27, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastNetMon to version 1.3.0 or later, which removes the predictable statistics file path and adds proper symlink checks.
  • If an upgrade cannot be performed immediately, stop the daemon and run it under a non‑privileged user; change the statistics file location to a directory owned by that user and set a restrictive umask such as 022 so that created files are not world‑writable.
  • Ensure that /tmp/fastnetmon.dat has restrictive permissions (chmod 600) or delete the file before starting the daemon to prevent the root process from truncating an arbitrary target file.

Generated by OpenCVE AI on May 27, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

Wed, 27 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Local Symlink Attack via Predictable Temporary File in FastNetMon

Tue, 26 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Symlink Attack Allows Root File Overwrite in FastNetMon Community Edition
Weaknesses CWE-22
CWE-284

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Symlink Attack Allows Root File Overwrite in FastNetMon Community Edition
Weaknesses CWE-22
CWE-284

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T20:33:37.827Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48693

cve-icon Vulnrichment

Updated: 2026-05-26T20:31:06.082Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:53.807

Modified: 2026-06-17T10:55:11.630

Link: CVE-2026-48693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T00:30:20Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')