FastNetmon CE: 15 CVEs Disclosed in Single Day — Critical BGP, Command Injection, and Memory Safety Flaws
Fifteen vulnerabilities hit FastNetmon Community Edition on May 26, 2026, including three critical BGP parsing bugs, two OS command injections in router plugins, and a gRPC API with zero authentication.
Key findings
- Three Critical (CVSS 9.8) BGP parsing bugs: stack buffer overflow, heap off-by-one, and integer overflow in AS_PATH encoder
- Two OS command injection flaws in Juniper and MikroTik plugins allow remote code execution
- gRPC API on port 50052 has zero authentication (InsecureServerCredentials)
- TLS certificate verification is never enabled on outbound HTTPS connections
- Six BGP-layer vulnerabilities mean untrusted BGP peers can compromise the server
- All 15 CVEs affect FastNetmon CE through version 1.2.9
On May 26, 2026, a batch of 15 CVEs was disclosed against FastNetmon Community Edition through version 1.2.9, the open-source DDoS detection and network monitoring tool maintained by Pavel Odintsov. Published within a three-hour window, the vulnerabilities span memory corruption in BGP protocol parsing, OS command injection in router integration plugins, missing TLS certificate validation, an unauthenticated gRPC API, and multiple out-of-bounds read flaws in NetFlow and packet processing. Three of the CVEs carry a Critical severity rating (CVSS 9.8), making this one of the most significant security disclosures for the project to date.
Critical BGP parsing bugs dominate the batch. Three CVEs scored at 9.8 target the BGP protocol decoder — the component responsible for processing route announcements from peer routers. CVE-2026-48686 is a stack-based buffer overflow in the NLRI (Network Layer Reachability Information) decoder: the function decode_bgp_subnet_encoding_ipv4_raw() reads prefix_bit_length directly from the BGP packet without validating it is ≤ 32 for IPv4, allowing an attacker to overflow a fixed-size stack buffer. CVE-2026-48689 is an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class affecting five methods that use an incorrect bounds check. CVE-2026-48691 is an integer overflow in the BGP AS_PATH attribute encoder where attribute_length is computed as sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t) and stored in a uint16_t, enabling heap corruption via crafted BGP updates. All three can be triggered by a malicious BGP peer sending a specially crafted route announcement, potentially leading to remote code execution.
Additional BGP and protocol parsing flaws. CVE-2026-48688 (High, 7.5) covers multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder — the source code at src/bgp_protocol.cpp line 156 even contains a TODO comment acknowledging the need for sanity checks. CVE-2026-48685 (Medium, 6.5) is an out-of-bounds memory access caused by incorrect parsing of BGP path attributes with the extended length flag set. CVE-2026-48696 (Medium, 6.2) is a separate buffer overflow in the BGP code, distinct from the two other overflow CVEs. Together, these six BGP-layer vulnerabilities mean that any FastNetmon instance peering with an untrusted BGP speaker is exposed to remote compromise or denial of service.
OS command injection in router integration plugins. Two critical-severity command injection flaws were found in the Juniper and MikroTik integration plugins. CVE-2026-48687 (Critical, 9.8) affects the Juniper plugin's _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118), which concatenates the $msg parameter directly into exec() calls. CVE-2026-48695 (High, 8.1) does the same in the MikroTik plugin's _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php. An attacker who can influence log messages — or who can trigger the plugin with crafted input — can execute arbitrary OS commands on the FastNetmon server. Additionally, CVE-2026-48694 (High, 8.1) is a configuration injection in the Juniper plugin where the $IP_ATTACK variable from argv[1] is directly interpolated into Juniper NETCONF set-configuration commands, allowing an attacker to inject arbitrary router configuration changes.
Missing authentication and TLS verification. CVE-2026-48692 (High, 8.1) exposes a gRPC API server on port 50052 with no authentication mechanism — the server is initialized with grpc::InsecureServerCredentials() and a source code comment explicitly acknowledges the lack of authentication. Any network-accessible attacker can query or manipulate the FastNetmon instance via gRPC. CVE-2026-48697 (High, 7.4) reveals that the function execute_web_request_secure() loads CA certificates but never calls set_verify_mode(), meaning all outbound HTTPS connections are made without verifying the remote server's TLS certificate, enabling man-in-the-middle attacks on any API calls or webhooks the tool makes.
Memory safety issues in packet and NetFlow processing. CVE-2026-48690 (High, 7.1) is an integer overflow in packet capture buffer allocation in src/packet_storage.hpp, where the multiplication buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) can overflow, leading to undersized buffer allocation. CVE-2026-48684 and CVE-2026-48683 (both Medium, 6.5) are out-of-bounds reads in the NetFlow v9 collector — the options template parser and the data flowset processor, respectively — where iteration bounds are not properly checked against the packet end. CVE-2026-48693 (Medium, 5.5) is a local symlink attack via the predictable /tmp/fastnetmon.dat statistics file path, allowing a local attacker to redirect writes to an arbitrary file.
Response and remediation. All 15 CVEs affect FastNetmon Community Edition through version 1.2.9. Users should upgrade to the latest patched version as soon as it becomes available. For deployments that cannot immediately upgrade, mitigations include: restricting BGP peering to trusted and authenticated peers only, blocking network access to port 50052 (gRPC) from untrusted networks, and reviewing any use of the Juniper and MikroTik plugins for exposure to untrusted input. The vulnerabilities were disclosed via the CVE assignment process on May 26, 2026, and system administrators running FastNetmon in production environments — particularly those with BGP peering or router integration enabled — should treat this batch as a high-priority update event.
This batch of 15 CVEs represents a comprehensive security review of FastNetmon's core components. The concentration of memory corruption bugs in the BGP decoder and the presence of command injection in router plugins highlight the risk of running network monitoring tools that parse untrusted protocol data. Users should monitor the FastNetmon GitHub repository for patch releases and follow the project's security advisories for further updates.