CVE-2026-48695

Vulnerability

The MikroTik router integration plugin in FastNetMon Community Edition through version 1.2.9 contains an OS command injection vulnerability. In src/mikrotik_plugin/fastnetmon_mikrotik.php, lines 107-108, the _log() function constructs a shell command by concatenating the $msg parameter directly into an exec() call: exec("echo date \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP) [1]. This $msg variable carries unsanitized attack data originating from command-line arguments (argv[]), allowing injection of arbitrary shell commands. The vulnerable code path is reached when the plugin processes attack notification data supplied via the command line [3]. An identical pattern exists in the companion Juniper plugin [1].

Exploitation

An attacker who can influence argv[] values passed to the FastNetMon MikroTik plugin can inject arbitrary shell commands. This is achieved indirectly through the attack notification pipeline: when FastNetMon detects a DDoS attack, it invokes the plugin with the attacker IP and other data appended as command-line arguments. The attacker controls this data by crafting the source IP of the attack or other parameters that become argv entries. No authentication is required to trigger the injection; the attacker only needs to generate network traffic that causes the plugin to execute [1]. The shell injection occurs because no escaping (e.g., escapeshellarg()) is applied before the string is passed to exec() [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the FastNetMon server with the privileges of the FastNetMon process (typically root). This leads to full compromise of the FastNetMon system, including the ability to read or modify configuration files, install malware, pivot to other network devices, and disrupt monitoring operations. Additionally, the same file contains hardcoded MikroTik credentials (username api, password api123) at lines 31-33, compounding the risk: if the default credentials are unchanged, an attacker who gains shell access can immediately authenticate to the MikroTik router and take control of it [1].

Mitigation

As of May 23, 2026, the vendor (FastNetMon LTD) has not responded to Lorikeet Security's disclosure (April 25, 2026) and no fix has been released [1]. Operators should immediately replace exec() with file_put_contents() or apply escapeshellarg() to user-supplied data as demonstrated in the reference analysis [1]. Additionally, the hardcoded credentials must be changed in the plugin file and on any MikroTik routers where they were deployed. Until a patched version is available, the safest mitigation is to disable the MikroTik plugin entirely [1]. The vulnerability is not listed in CISA KEV as of this writing.