CVE-2026-48687: FastNetMon Community Edition Juniper Router Plugin Allows Malicious Commands

Summary

FastNetMon Community Edition's Juniper router integration plugin has a security flaw that could allow hackers to execute malicious system commands. This issue affects users who run the plugin, especially those who use command-line arguments to pass data to the plugin. To stay secure, update to the latest version of FastNetMon Community Edition.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions
pavel-odintsov	fastnetmon	<= 1.2.9 `cpe:2.3:a:pavel-odintsov:fastnetmon:::::community:::*`

Original title

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php ...

Original description

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters.

Vulnerability type

CWE-78 OS Command Injection