Description
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg().
Published: 2026-05-26
Score: 8.1 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition through version 1.2.9 contains an OS command injection flaw in the MikroTik router integration plugin. The _log() routine builds a shell command by concatenating the $msg parameter directly into an exec() call. The $msg variable is populated from unfiltered command‑line arguments, creating a classic CWE‑78 vulnerability that allows an attacker who can influence argv[] values to inject arbitrary shell commands. Successful exploitation results in remote code execution with the privileges of the FastNetMon process, potentially giving full control over the host.

Affected Systems

All deployments of FastNetMon Community Edition 1.2.9 or earlier that enable the MikroTik integration plugin are affected. The vulnerability resides in src/mikrotik_plugin/fastnetmon_mikrotik.php of the open‑source project hosted on GitHub by pavel‑odintsov. Versions released after 1.2.9 are believed to incorporate the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity OS command injection. Exploitation requires the ability to modify command‑line arguments delivered to the FastNetMon process, which can be achieved locally or via any trusted input source that the process consumes. Once the attacker can inject commands, they run with the same privileges as the FastNetMon service, which may be root or otherwise privileged. The EPSS score of 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, but the impact and severity warrant immediate remediation.

Generated by OpenCVE AI on June 17, 2026 at 11:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the vulnerable exec() call with file_put_contents() or wrap the $msg value in escapeshellarg() as recommended by the vendor.
  • Upgrade FastNetMon to any version newer than 1.2.9 to obtain the official patch; if no update is available, apply the code change manually.
  • If the MikroTik feature is unnecessary, disable or uninstall the plugin to remove the attack vector.
  • Run FastNetMon under a restricted user with the least privilege necessary to limit the damage if the vulnerability cannot be patched immediately.

Generated by OpenCVE AI on June 17, 2026 at 11:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title MikroTik Plugin OS Command Injection in FastNetMon Community Edition

Tue, 16 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Title MikroTik Plugin OS Command Injection in FastNetMon Community Edition

Wed, 27 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

Tue, 26 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title FastNetMon Community Edition MikroTik Plugin OS Command Injection

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title FastNetMon Community Edition MikroTik Plugin OS Command Injection
Weaknesses CWE-78

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg().
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T20:17:41.811Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48695

cve-icon Vulnrichment

Updated: 2026-05-26T20:16:15.931Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T18:16:52.950

Modified: 2026-05-27T15:51:44.477

Link: CVE-2026-48695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T12:00:08Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')