Detect BerriAI LiteLLM Command Injection (CVE-2026-42271) in Microsoft Sentinel
Detects exploitation of CVE-2026-42271, a command injection vulnerability in BerriAI LiteLLM. An attacker who can reach the LiteLLM API or admin interface may inject OS commands that execute under the LiteLLM process context, leading to remote code execution. The vulnerability is tracked under CWE-78 (OS Command Injection) and CWE-77 (Command Injection) and is listed as actively exploited in CISA KEV.
MITRE ATT&CK
- Tactic
- Execution Persistence Lateral Movement
KQL Detection Query
let suspiciousPatterns = dynamic([";", "&&", "||", "`", "$(", "|", ">", "<", "\n", "%0a", "%3b", "%26%26", "%7c"]);
let litellmPorts = dynamic(["4000", "8000", "8080"]);
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (ActionType == "InboundConnectionAccepted" and LocalPort in (litellmPorts))
or (FileName in~ ("python", "python3", "sh", "bash", "cmd.exe", "powershell.exe") and InitiatingProcessFileName in~ ("python", "python3", "uvicorn", "gunicorn"))
| extend DecodedCmdLine = url_decode(ProcessCommandLine)
| where (ProcessCommandLine has_any (suspiciousPatterns) or DecodedCmdLine has_any (suspiciousPatterns))
and (ProcessCommandLine contains "litellm" or InitiatingProcessCommandLine contains "litellm" or InitiatingProcessFileName =~ "uvicorn")
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, LocalPort, RemoteIP
| order by TimeGenerated descDetects suspicious child process spawning or inbound connections on common LiteLLM ports combined with command injection metacharacters in process command lines, indicating potential CVE-2026-42271 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate LiteLLM administrative scripts that pass shell-like arguments for model configuration
- CI/CD pipelines running automated LiteLLM integration tests with parameterized commands
- Security testing or red team exercises against LiteLLM instances
Other platforms for CVE-2026-42271
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LiteLLM API Command Injection via Model Parameter
Expected signal: Process creation event showing sh or bash child process under the uvicorn/gunicorn parent with command line containing the injected id command
- Test 2LiteLLM Out-of-Band Command Injection with Reverse Shell Attempt
Expected signal: Network connection event showing outbound TCP to 127.0.0.1:9999 from the LiteLLM process, plus a bash process with -i flag spawned from the Python parent
- Test 3LiteLLM Config Endpoint Command Injection via Backtick Substitution
Expected signal: Process creation event with backtick command substitution syntax in command line, spawned from the LiteLLM Python process
- Test 4Post-Exploitation Credential Harvesting via LiteLLM Injection
Expected signal: Process creation event showing cat and tr commands spawned from LiteLLM parent, with file write event to /tmp/cve42271_env.txt
Unlock Pro Content
Get the full detection package for CVE-2026-42271 including response playbook, investigation guide, and atomic red team tests.