CVE-2026-48694
Description
FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF set-configuration commands at lines 69 and 90 without any validation or sanitization. Line 69: $conn->load_set_configuration("set routing-options static route {$IP_ATTACK} community 65535:666 discard"). Line 90: $conn->load_set_configuration("delete routing-options static route {$IP_ATTACK}/32"). An attacker who can control the IP address string can inject additional Juniper CLI configuration commands by embedding newline characters followed by arbitrary set/delete commands. This could modify the router's routing table, firewall filters, user accounts, or any other configuration element accessible via NETCONF. The impact is full router compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FastNetMon Community Edition ≤1.2.9 has a Juniper NETCONF injection vulnerability allowing full router compromise via unsanitized IP input.
Vulnerability
In FastNetMon Community Edition through version 1.2.9, the Juniper router integration plugin (src/juniper_plugin/fastnetmon_juniper.php) contains a configuration injection vulnerability. The $IP_ATTACK variable, received from argv[1], is directly interpolated into Juniper NETCONF set and delete commands at lines 69 and 90 without any validation or sanitization [1]. Line 69 executes set routing-options static route {$IP_ATTACK} community 65535:666 discard for banning an IP, and line 90 executes delete routing-options static route {$IP_ATTACK}/32 for unbanning [1]. The vulnerability affects all installations using the Juniper plugin with NETCONF integration [2].
Exploitation
An attacker who can control the IP address string passed to the plugin (e.g., via the attack notification pipeline) can inject additional Juniper CLI configuration commands by embedding newline characters followed by arbitrary set or delete commands [1]. No authentication is required beyond the ability to trigger a ban or unban action, which is typically possible for an attacker whose IP is detected as a source of DDoS traffic [1]. The attacker does not need direct network access to the FastNetMon host; the injection occurs through the normal attack handling flow [1].
Impact
Successful exploitation allows an attacker to modify any Juniper router configuration element accessible via NETCONF, including routing tables, firewall filters, user accounts, and other settings [1]. This results in full compromise of the affected Juniper router, with potential for denial of service, traffic redirection, or persistent backdoor access [1].
Mitigation
As of May 23, 2026, no vendor fix has been released for CVE-2026-48694 [1]. FastNetMon LTD was notified on April 25, 2026, but has not responded [1]. Users are advised to disable the Juniper plugin or restrict access to the FastNetMon attack notification pipeline until a patch is available [1]. No workaround is documented in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.2.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.