Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-45579.

Upgrade to Pro
CVE-2026-45579 IBM QRadar · QRadar

Detect DIRAC RequestManager eval() Remote Code Execution (CVE-2026-45579) in IBM QRadar

Detects exploitation attempts and successful compromise of DIRAC's RequestManager component via CVE-2026-45579, a CWE-95 (Eval Injection) vulnerability where untrusted RPC input passed to RequestManager is evaluated via Python's eval() function, resulting in unauthenticated or low-privilege remote code execution. Affected DIRAC (pip package) versions are >=6,<8.0.79, >=8.1.0a1,<9.0.22, and >=9.1.0,<9.1.10. A public PoC exists (GHSA-9jpv-c7p4-997x). Detection focuses on anomalous eval-triggering payloads sent to DIRAC RequestManager RPC/DISET endpoints, resulting child process spawns from DIRAC service processes, and post-exploitation artifacts consistent with grid/HPC computing infrastructure compromise.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS EventTime, sourceip, username, "Process Command Line" AS cmdline, "Parent Command Line" AS parent_cmdline
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon', 'Linux OS')
AND ("Parent Command Line" ILIKE '%RequestManager%' OR "Parent Command Line" ILIKE '%dirac-service%' OR "Parent Command Line" ILIKE '%dirac-request%')
AND ("Process Command Line" ILIKE '%eval(%' OR "Process Command Line" ILIKE '%__import__%' OR "Process Command Line" ILIKE '%os.system%' OR "Process Command Line" ILIKE '%subprocess%' OR "Process Command Line" ILIKE '%socket.socket%' OR "Process Command Line" ILIKE '%base64%')
LAST 24 HOURS
critical severity medium confidence

QRadar AQL query to identify processes spawned by DIRAC RequestManager/service components whose command lines contain eval-injection indicators consistent with CVE-2026-45579.

Data Sources

SysmonLinux AuditdQRadar Process Events

Required Tables

events

False Positives & Tuning

  • Legitimate DIRAC operations staff executing debug tooling with eval() usage
  • Automated regression tests hitting RequestManager endpoints
  • False correlation from unrelated Python tooling sharing similar naming

Other platforms for CVE-2026-45579


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DIRAC RequestManager eval() RCE via crafted RPC payload

    Expected signal: Process creation event showing python3 (DIRAC RequestManager service) spawning /bin/sh -c "id > /tmp/dirac_poc_out" or equivalent child process with eval-injection command-line markers

  2. Test 2Simulate reverse shell spawned from DIRAC service process

    Expected signal: Bash process with /dev/tcp redirection spawned by a process whose parent command line references RequestManager/dirac-service, plus an outbound TCP connection on port 4444

  3. Test 3Simulate malicious eval() injection payload execution on Windows lab host

    Expected signal: DeviceProcessEvents entry showing python.exe spawning cmd.exe/whoami with a parent command line simulation referencing RequestManager, writing output to a temp file

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-45579 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections