CVE Catalog

CVE-2026-48687

Critical
Published: Translated: NVD NIST

Summary

FastNetMon Community Edition up to version 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in fastnetmon_juniper.php constructs shell commands by concatenating the $msg parameter directly into exec() calls.

Risk Assessment

This vulnerability could allow arbitrary system commands to be executed, posing a significant security risk to the system and the organization's data.

Recommendation

It is recommended to replace the exec() call with file_put_contents() or use escapeshellarg() on all parameters to secure the application against command injection.

Original NVD description (English source)

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS