CVE-2026-48693
Analyzed Analyzed - Analysis Complete
Local Symlink Attack in FastNetMon Community Edition

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: MITRE

Description
FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48693
EUVD
EUVD-2026-31899
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pavel-odintsov fastnetmon to 1.2.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48693 is a local symlink attack vulnerability in FastNetMon Community Edition up to version 1.2.9. The software writes statistics to a predictable and hardcoded file path (/tmp/fastnetmon.dat) without checking for symbolic links or using safe file open flags like O_NOFOLLOW. Additionally, the program sets the file creation mask (umask) to 0, making created files world-writable. Because of these issues, a local attacker can create a symbolic link at the expected file path pointing to an arbitrary file, such as a sensitive system file, and cause FastNetMon to overwrite that file with its data. This can lead to unauthorized file modification and potential privilege escalation.

Impact Analysis

This vulnerability allows a local attacker to overwrite arbitrary files on the system with the permissions of the FastNetMon process user, which is typically root. By exploiting the symlink attack, the attacker can inject malicious content into critical system files, such as cron job files, leading to local privilege escalation. The world-writable permissions on created files further increase the risk by allowing other users to modify these files. Overall, this can compromise system integrity and security.

Detection Guidance

This vulnerability involves a local symlink attack via predictable file paths in /tmp, specifically the file /tmp/fastnetmon.dat being overwritten through symlink exploitation.

To detect if your system is vulnerable or being exploited, you can check for suspicious symlinks pointing from /tmp/fastnetmon.dat to sensitive files.

  • Run the command: ls -l /tmp/fastnetmon.dat to see if it is a symlink.
  • Use find to locate symlinks in /tmp: find /tmp -type l -ls
  • Check for unexpected modifications or world-writable permissions on critical files that could have been overwritten, e.g., ls -l /etc/cron.d/

Additionally, monitoring FastNetMon logs or system audit logs for unusual file operations or permission changes on /tmp/fastnetmon.dat or related files may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include preventing symlink attacks on the /tmp directory and restricting file permissions.

  • Mount the /tmp directory with the nosymfollow option to prevent following symlinks.
  • Enable kernel protections such as fs.protected_symlinks to restrict symlink following by non-owners.
  • Manually check and remove any malicious symlinks pointing from /tmp/fastnetmon.dat to sensitive files.
  • Restrict permissions on /tmp and related files to prevent world-writable files.

Long-term fixes involve updating FastNetMon to a version that moves the stats file to a private directory, uses O_NOFOLLOW when opening files, and sets a restrictive umask, but as of May 2026 no fix has been released.

Compliance Impact

The vulnerability allows a local attacker to overwrite arbitrary files as root by exploiting insecure handling of temporary files and symlinks. This can lead to unauthorized modification of system files and potential privilege escalation.

Such unauthorized access and modification of system files can compromise the integrity and confidentiality of data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict controls over data protection and system security.

Specifically, the ability to inject malicious content (e.g., cron jobs) and escalate privileges could lead to breaches of sensitive personal or health information, undermining regulatory compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48693. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart