Description
OS Command Injection vulnerability in Rapid7 InsightConnect Finger Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction.
Published: 2026-06-25
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Rapid7 InsightConnect Finger Plugin on Linux contains an OS Command Injection flaw due to inadequate input validation of the user and host parameters that are inserted into a shell command. An authenticated attacker can supply crafted values to these parameters and execute arbitrary operating‑system commands, which could allow full control of the host on which the plugin is running, leading to data theft, system compromise, or further lateral movement.

Affected Systems

The vulnerability affects the Rapid7 InsightConnect Finger Plugin on Linux installations. No specific product version information is supplied in the advisory, so all instances of the plugin should be considered potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity rating. The EPSS score is not available, and the issue is not currently listed in CISA’s Known Exploited Vulnerabilities catalog. The attack requires authentication to the InsightConnect environment, suggesting an insider or compromised credential scenario. Because the vulnerability provides a straightforward injection point, exploitation could be achieved with minimal effort once access is obtained, although the exact probability of exploitation cannot be quantified due to the missing EPSS data.

Generated by OpenCVE AI on June 25, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rapid7 InsightConnect Finger Plugin to the latest version provided by Rapid7.
  • If a patch cannot be applied immediately, restrict usage of the Finger Plugin to a minimal set of trusted operators and enforce strict validation of the user and host parameters to prevent shell injection.
  • If the plugin is unnecessary, disable it or remove it entirely from the InsightConnect environment.
  • Enable logging and monitoring of shell command executions within InsightConnect to detect any anomalous activity related to this plugin.

Generated by OpenCVE AI on June 25, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Description OS Command Injection vulnerability in Rapid7 InsightConnect Finger Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the user or host parameters due to insufficient input validation in shell command construction.
Title OS Command Injection in Rapid7 InsightConnect Finger Plugin
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-06-25T12:16:59.346Z

Reserved: 2026-05-15T06:29:08.710Z

Link: CVE-2026-8664

cve-icon Vulnrichment

Updated: 2026-06-25T12:16:55.899Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T02:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')