CVE-2026-48695
Publication date 26 May 2026
Last updated 27 May 2026
Ubuntu priority
Description
FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg().
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| fastnetmon | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.1 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-48695
- https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48695-mikrotik-cmd-injection
- https://github.com/pavel-odintsov/fastnetmon/pull/1047
- https://github.com/pavel-odintsov/fastnetmon/commit/54a95427a1f6fe0237ddb0c3fc14622df1c93870
- https://github.com/pavel-odintsov/fastnetmon
- https://github.com/pavel-odintsov/fastnetmon/blob/master/src/mikrotik_plugin/fastnetmon_mikrotik.php