Detect BerriAI LiteLLM Command Injection (CVE-2026-42271) in IBM QRadar
Detects exploitation of CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM. An attacker who can reach the LiteLLM API or admin interface may inject OS commands that execute under the LiteLLM process context, leading to remote code execution. The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-77 (Command Injection) and is listed as actively exploited in CISA KEV.
MITRE ATT&CK
- Tactic
- Execution Persistence Lateral Movement
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
QIDNAME(qid) AS event_name,
"processname",
"parentprocessname",
"commandline"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Microsoft Windows Security Event Log', 'Endpoint Management Systems')
AND (
LOWER("parentprocessname") LIKE '%uvicorn%'
OR LOWER("parentprocessname") LIKE '%gunicorn%'
OR LOWER("parentprocessname") LIKE '%litellm%'
OR (LOWER("parentprocessname") LIKE '%python%' AND (destinationport = 4000 OR destinationport = 8000 OR destinationport = 8080))
)
AND (
"commandline" LIKE '%;%'
OR "commandline" LIKE '%&&%'
OR "commandline" LIKE '%||%'
OR "commandline" LIKE '%`%'
OR "commandline" LIKE '%$(%'
OR "commandline" LIKE '%|%'
OR "commandline" LIKE '%%0a%'
OR "commandline" LIKE '%%3b%'
)
AND LOGSOURCETIME > NOW() - 1 DAYS
ORDER BY devicetime DESC
LIMIT 500QRadar AQL query detecting suspicious child processes spawned by LiteLLM-related parent processes (uvicorn, gunicorn, python) with command injection metacharacters in the command line.
Data Sources
Required Tables
False Positives & Tuning
- System administration tasks that legitimately call shell commands via Python subprocesses
- Scheduled tasks or cron jobs invoking LiteLLM with piped shell arguments
- Penetration testing activities targeting LiteLLM in authorized engagements
Other platforms for CVE-2026-42271
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LiteLLM API Command Injection via Model Parameter
Expected signal: Process creation event showing sh or bash child process under the uvicorn/gunicorn parent with command line containing the injected id command
- Test 2LiteLLM Out-of-Band Command Injection with Reverse Shell Attempt
Expected signal: Network connection event showing outbound TCP to 127.0.0.1:9999 from the LiteLLM process, plus a bash process with -i flag spawned from the Python parent
- Test 3LiteLLM Config Endpoint Command Injection via Backtick Substitution
Expected signal: Process creation event with backtick command substitution syntax in command line, spawned from the LiteLLM Python process
- Test 4Post-Exploitation Credential Harvesting via LiteLLM Injection
Expected signal: Process creation event showing cat and tr commands spawned from LiteLLM parent, with file write event to /tmp/cve42271_env.txt
Unlock Pro Content
Get the full detection package for CVE-2026-42271 including response playbook, investigation guide, and atomic red team tests.