Unrated severityNVD Advisory· Published May 26, 2026

CVE-2026-48693

Description

FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

FastNetMon Community Edition up to 1.2.9 is vulnerable to a local symlink attack via a predictable /tmp/fastnetmon.dat path, enabling arbitrary file overwrite as root.

Vulnerability

FastNetMon Community Edition through version 1.2.9 contains a local symlink vulnerability due to a predictable temporary file path and insecure file operations. The statistics file path is hardcoded to /tmp/fastnetmon.dat in src/fastnetmon.cpp (line 159) [3]. The print_screen_contents_into_file() function in src/fastnetmon_logic.cpp (line 2186) opens this path using std::ofstream with std::ios::trunc without checking for symlinks or using O_NOFOLLOW [4]. Additionally, the daemon sets umask(0) during daemonization in src/fastnetmon.cpp (line 1821), making any created files world-writable [3]. A chmod bug on line 2190 always applies permissions to cli_stats_file_path regardless of the file_path parameter, further weakening file handling [1][4].

Exploitation

A local attacker needs only unprivileged access to the system. The predictable path /tmp/fastnetmon.dat is in a world-writable directory. By creating a symlink from /tmp/fastnetmon.dat to any target file (e.g., /etc/passwd or a system binary) before the FastNetMon process (typically running as root) writes its statistics, the attacker can cause the process to follow the symlink and truncate or overwrite the target file with the statistics output. The attacker must time the symlink creation to occur between process checks or can use an inotify watch; no other authentication or user interaction is required [1].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system with the privileges of the FastNetMon process, which typically runs as root. This can lead to privilege escalation (e.g., overwriting /etc/sudoers or a setuid binary), denial of service by corrupting critical system files, or data integrity compromise. The world-writable permissions assigned due to umask(0) further increase the risk of secondary attacks [1].

Mitigation

As of the latest available references, no official fix has been released by FastNetMon LTD. The vendor was notified on April 25, 2026 [1]. Until a patched version is available, administrators should restrict local access to trusted users only and consider moving the statistics file to a non-world-writable directory with a secure path (e.g., using O_NOFOLLOW or a dedicated location outside /tmp). The issue affects all Community Edition versions up to and including 1.2.9 [1][2].

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Pavel Odintsov/Fastnetmonreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.2.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000