CVE-2026-48695: FastNetMon MikroTik Command Injection

What Is CVE-2026-48695?

CVE-2026-48695 is a high-severity vulnerability (CVSS 8.1) in FastNetMon Community Edition's MikroTik integration plugin. It affects all versions through 1.2.9 and combines two distinct weaknesses: OS command injection via unsanitized input passed to exec(), and hardcoded MikroTik router credentials stored in plaintext. Discovered by Lorikeet Security on April 25, 2026, the vulnerability has no vendor patch as of the public disclosure date.

This is one of 16 CVEs disclosed in the FastNetMon codebase during the same research cycle. Several follow the same pattern: shell commands constructed with unsanitized attack data. The MikroTik plugin stands out because it also ships with hardcoded router credentials, giving anyone who reads the open-source code direct access to MikroTik routers that use the default configuration.

The Vulnerable Code

Vulnerability 1: Command Injection in _log()

The MikroTik plugin includes a logging function at lines 105-109 of fastnetmon_mikrotik.php:

function _log( $msg ) {
    exec( "echo `date` \"- [FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP );
}

The $msg parameter is concatenated directly into a shell command passed to PHP's exec() function. No escaping, no sanitization, no validation. The function is called with attack data throughout the plugin, including variables like $IP_ATTACK, $DIRECTION_ATTACK, and $POWER_ATTACK, all of which originate from FastNetMon's detection pipeline.

Any shell metacharacter in those values will be interpreted by the shell. Backticks, $() subshells, semicolons, and pipe operators all execute as arbitrary commands.

Vulnerability 2: Hardcoded MikroTik Credentials

At lines 31-33 of the same file, the plugin defines MikroTik router API credentials in plaintext:

$user = "api";
$pass = "api123";

These credentials are used to authenticate against MikroTik routers via the RouterOS API. Because FastNetMon Community Edition is open source, anyone can read these defaults. Any operator who deployed the plugin without changing these values has a MikroTik router accessible with known credentials.

This is a textbook CWE-798 (Use of Hard-coded Credentials). The credentials are not loaded from a configuration file or environment variable. They are literals in the source code.

What an Attacker Can Do

The command injection is exploitable remotely, but indirectly. The attack chain works as follows:

1. Trigger detection. The attacker sends spoofed traffic toward a network monitored by FastNetMon. The traffic volume or packet rate exceeds the configured detection threshold.
2. FastNetMon invokes the plugin. When FastNetMon detects an "attack," it calls the MikroTik plugin with parameters describing the event: source IP, direction, and attack power.
3. Plugin logs the event. The _log() function receives the attack parameters and passes them, unsanitized, to exec().
4. Shell metacharacters execute. If the attacker embedded shell commands in the spoofed traffic metadata (for example, in fields that populate $IP_ATTACK), those commands execute as the FastNetMon process user.

FastNetMon typically runs as root. That means successful exploitation gives the attacker root-level command execution on the detection server itself.

Combined with the hardcoded credentials, a successful attack yields two outcomes:

• Root shell on the FastNetMon server via command injection through the _log() function
• Authenticated access to MikroTik routers via the hardcoded api/api123 credentials, if the operator did not change them

A DDoS detection tool that can be weaponized through the traffic it monitors is a fundamental design failure. The detection pipeline becomes the attack surface.

Am I Affected?

You are affected if all of the following are true:

• You run FastNetMon Community Edition version 1.2.9 or earlier
• The MikroTik plugin is enabled in your configuration
• FastNetMon is reachable by traffic that could trigger its detection thresholds

If you deployed the MikroTik plugin without modifying the hardcoded credentials, your MikroTik routers are also at risk of unauthorized access, independent of the command injection vulnerability.

The command injection vulnerability is present regardless of whether you changed the credentials. Any deployment using the MikroTik plugin with an unpatched version of FastNetMon CE is vulnerable to remote code execution.

How to Fix and Mitigate

There is no vendor patch available as of May 23, 2026. The following mitigations reduce risk:

Immediate Steps

1. Disable the MikroTik plugin. If you are not actively using the MikroTik integration, disable it in your FastNetMon configuration. This eliminates both the command injection and credential exposure.
2. Change MikroTik router credentials. If your routers use the api/api123 credentials (or any credentials matching the plugin defaults), change them immediately. Audit your RouterOS user list for the api account.
3. Restrict FastNetMon's system privileges. Run FastNetMon under a dedicated, non-root user with minimal filesystem and network permissions. This limits the impact of command injection.

Code-Level Fix

If you must continue using the MikroTik plugin, patch the _log() function to sanitize input:

function _log( $msg ) {
    // Sanitize $msg before passing to exec()
    $safe_msg = escapeshellarg( $msg );
    exec( "echo `date` \"- [FASTNETMON] - " . $safe_msg . " \" >> " . escapeshellarg( $FILE_LOG_TMP ) );
}

Move credentials to a configuration file or environment variables, and never store them in source code:

// Load from environment instead of hardcoding
$user = getenv('MIKROTIK_API_USER') ?: die('MIKROTIK_API_USER not set');
$pass = getenv('MIKROTIK_API_PASS') ?: die('MIKROTIK_API_PASS not set');

The same command injection pattern exists in other FastNetMon plugins, including the Juniper plugin (CVE-2026-48687) and the Juniper NETCONF integration (CVE-2026-48694). If you use any FastNetMon plugin that calls external commands, audit it for unsanitized input.

What This Means for Detection Tooling

CVE-2026-48695 illustrates a structural problem with detection tools that shell out to plugins using unsanitized data. When your DDoS detection system can be compromised by the traffic it monitors, the tool itself becomes attack surface. Hardcoded credentials compound the problem: anyone reading the open-source repository has the keys to your MikroTik routers.

Flowtriq takes a different approach. The agent runs as a managed binary with automatic updates, so vulnerabilities are patched without operator intervention. There are no plugin files with hardcoded credentials. The control plane uses authenticated, encrypted channels. Router and switch integrations use operator-configured credentials stored in an encrypted secrets store, never in source code. Detection runs at the kernel level with sub-second response times.

FastNetMon's unauthenticated gRPC API (CVE-2026-48692) adds another layer of exposure. The full list of disclosed vulnerabilities is covered in our analysis of all 16 FastNetMon CVEs.

Frequently Asked Questions

What is CVE-2026-48695?

CVE-2026-48695 is a high-severity vulnerability (CVSS 8.1) in FastNetMon Community Edition's MikroTik plugin. It combines OS command injection in the _log() function with hardcoded MikroTik router credentials (api/api123), allowing remote code execution through crafted attack traffic.

How is the command injection triggered?

An attacker sends spoofed traffic that triggers FastNetMon's DDoS detection. FastNetMon passes unsanitized attack parameters to the MikroTik plugin's _log() function, which calls exec() with the raw data. Shell metacharacters in the attack parameters execute arbitrary commands as the FastNetMon process user, typically root.

Is there a patch available?

No. As of May 23, 2026, no vendor fix has been released for CVE-2026-48695. Operators should disable the MikroTik plugin, change any MikroTik router credentials that match the hardcoded defaults, and audit other FastNetMon plugins for similar issues.

Which versions of FastNetMon are affected?

FastNetMon Community Edition versions 1.2.9 and earlier are affected. The vulnerability exists in src/mikrotik_plugin/fastnetmon_mikrotik.php, which ships with all Community Edition releases that include the MikroTik integration.

Who discovered this vulnerability?

Lorikeet Security discovered CVE-2026-48695 on April 25, 2026. The CVE was assigned by MITRE on May 22, 2026, and publicly disclosed on May 23, 2026.