CVE-2026-48695
OS Command Injection in FastNetMon Community Edition
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastnetmon | community_edition | to 1.2.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48695 is an OS command injection vulnerability in the FastNetMon Community Edition up to version 1.2.9, specifically in the MikroTik router integration plugin. The vulnerability exists in the _log() function, which constructs shell commands by directly concatenating unsanitized input ($msg) into exec() calls. This allows an attacker who can influence command-line arguments to inject and execute arbitrary shell commands on the system.
Additionally, the plugin contains hardcoded MikroTik router credentials (username "api" and password "api123"), which can be exploited if not changed by operators, allowing unauthorized access to the router's API.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary shell commands on the system running FastNetMon, potentially leading to full system compromise.
Exploitation of the hardcoded credentials can allow attackers to access the MikroTik router's API, enabling them to push malicious configurations, modify firewall rules, create new users, or enable services, thereby compromising network security.
Overall, attackers can disrupt network operations, bypass security controls, and gain persistent access to critical infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves auditing the FastNetMon Community Edition installation, specifically the MikroTik plugin script (fastnetmon_mikrotik.php), for the presence of the vulnerable _log() function that uses exec() with unsanitized input.
Additionally, checking for signs of exploitation can include searching logs for suspicious command injection patterns or unexpected shell commands executed via the plugin.
Suggested commands to detect potential exploitation or presence of the vulnerable code include:
- Searching the plugin file for exec() usage with unescaped input: grep -n 'exec(' /path/to/fastnetmon_mikrotik.php
- Checking for hardcoded credentials in the plugin file: grep -E 'api|api123' /path/to/fastnetmon_mikrotik.php
- Reviewing system logs for suspicious entries related to FastNetMon or MikroTik plugin activity: grep 'FASTNETMON' /var/log/syslog or journalctl -u fastnetmon
- Monitoring network traffic for unusual API calls to MikroTik routers or unexpected connections to the API port.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the vulnerable exec() call in the _log() function with safer alternatives such as file_put_contents() or properly escaping shell arguments using escapeshellarg().
Remove or externalize hardcoded MikroTik router credentials from the plugin script to a secure configuration file and ensure strong, unique credentials are used.
Restrict access to the MikroTik router API port by implementing network-level controls such as firewall rules to limit which hosts can connect.
Audit logs for any suspicious activity that might indicate exploitation attempts and monitor for unauthorized changes to router configurations.
If possible, update FastNetMon to a version that includes a fix for this vulnerability once it is released.