Which SIEM platforms have a CVE-2026-47137 detection rule?

df00tech provides CVE-2026-47137 (CVE-2026-47137 — vm2 Sandbox Escape via nesting:true Bypass (RCE)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect CVE-2026-47137 — vm2 Sandbox Escape via nesting:true Bypass (RCE) (CVE-2026-47137)?

Detecting CVE-2026-47137 — vm2 Sandbox Escape via nesting:true Bypass (RCE) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor.

What severity and confidence is the CVE-2026-47137 detection?

The CVE-2026-47137 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-47137?

Common false positives for CVE-2026-47137 include: Legitimate Node.js applications using vm2 for safe sandboxing that invoke child_process for valid build or test workflows; CI/CD pipeline runners executing npm test suites that reference vm2 in test scaffolding; Developer workstations running vm2-based tooling (e.g., code playgrounds) with expected network activity.

CVE-2026-47137: CVE-2026-47137 — vm2 Sandbox Escape via nesting:true Bypass (RCE) — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

union DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName in~ ("node", "node.exe", "nodejs")
| where (
    (ProcessCommandLine has "vm2" and ProcessCommandLine has_any ("nesting", "sandbox", "VM", "require"))
    or (InitiatingProcessCommandLine has "vm2" and InitiatingProcessCommandLine has_any ("nesting:true", "sandbox escape"))
    or (FileName has_any ("vm2") and ActionType == "FileCreated" and FolderPath has "node_modules")
  )
| extend SuspiciousChildProcess = iff(
    ProcessCommandLine has_any ("child_process", "exec", "spawn", "execSync", "spawnSync", "execFileSync"),
    true, false
  )
| extend NetworkEgress = iff(
    RemoteIPType == "Public" and ActionType == "NetworkConnectionSuccess",
    true, false
  )
| where SuspiciousChildProcess == true or NetworkEgress == true
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessCommandLine, ProcessCommandLine, RemoteIP, RemotePort,
    FileName, FolderPath, ActionType, SuspiciousChildProcess, NetworkEgress
| sort by TimeGenerated desc

Identifies Node.js processes loading vm2 that subsequently spawn child processes or initiate outbound network connections, which may indicate exploitation of the CVE-2026-47137 sandbox escape. Correlates process, file, and network telemetry.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Azure Monitor

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

Legitimate Node.js applications using vm2 for safe sandboxing that invoke child_process for valid build or test workflows
CI/CD pipeline runners executing npm test suites that reference vm2 in test scaffolding
Developer workstations running vm2-based tooling (e.g., code playgrounds) with expected network activity
Automated security scanners or DAST tools that probe vm2-based endpoints and trigger benign child process spawns

Splunk

spl

index=* sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "osquery:results", "auditd", "node_app_logs")
| eval is_node_parent = if(match(parent_process, "(?i)node(\.exe)?$") OR match(process_name, "(?i)node(\.exe)?$"), 1, 0)
| eval has_vm2_ref = if(match(cmdline, "(?i)vm2") OR match(cmdline, "nesting\s*[:=]\s*true"), 1, 0)
| eval spawns_shell = if(match(cmdline, "(?i)(child_process|exec|spawn|execSync|spawnSync|sh\s+-c|cmd\.exe|/bin/sh|bash\s+-c)"), 1, 0)
| eval outbound_conn = if(sourcetype="stream:tcp" AND direction="outbound" AND dest_ip!="127.0.0.1" AND NOT cidrmatch("10.0.0.0/8", dest_ip) AND NOT cidrmatch("192.168.0.0/16", dest_ip), 1, 0)
| where is_node_parent=1 AND has_vm2_ref=1 AND (spawns_shell=1 OR outbound_conn=1)
| stats count AS event_count, earliest(_time) AS first_seen, latest(_time) AS last_seen,
    values(cmdline) AS commands, values(dest_ip) AS remote_ips, values(user) AS users
    BY host, process_name, parent_process
| where event_count >= 1
| eval severity="CRITICAL", cve="CVE-2026-47137"
| sort - last_seen

Searches Sysmon, Linux audit, and Node.js application logs for vm2 library references within Node.js process trees followed by shell spawning or external network connections indicative of CVE-2026-47137 exploitation.

critical severity high confidence

Data Sources

Splunk Enterprise Security Sysmon for Windows Linux auditd osquery

Required Sourcetypes

WinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure osquery:results auditd

False Positives

Build systems running npm scripts that legitimately use vm2 for sandboxed template evaluation and also invoke child processes for compilation
Node.js microservices that use vm2 for plugin isolation and make legitimate API calls to external services
Security research environments intentionally testing vm2 in controlled lab settings
Automated test suites verifying vm2 sandbox behavior that spawn helper processes as part of test fixtures

Elastic Security (EQL)

eql

sequence by host.name, process.parent.entity_id with maxspan=2m
  [process where event.type == "start"
   and process.name : ("node", "node.exe", "nodejs")
   and (process.args : "*vm2*" or process.command_line : "*nesting*true*" or process.command_line : "*sandbox*")
  ]
  [process where event.type == "start"
   and (
     process.name : ("sh", "bash", "dash", "zsh", "cmd.exe", "powershell.exe", "pwsh.exe", "python*", "perl*", "ruby*")
     or process.command_line : ("*child_process*", "*execSync*", "*spawnSync*", "*execFileSync*")
   )
  ]
| head 500

EQL sequence rule detecting a Node.js process referencing vm2 or nesting sandbox options followed within two minutes by a shell or interpreter spawn, which is the characteristic post-exploitation behavior of CVE-2026-47137.

critical severity high confidence

Data Sources

Elastic SIEM Elastic Endpoint Security Filebeat with Sysmon module

Required Tables

logs-endpoint.events.process-* logs-system.syslog-*

False Positives

Monorepo build tools using vm2 for isolated script evaluation that shell out to package managers
Serverless function frameworks that sandbox user code via vm2 and legitimately start child processes for request handling
Node.js test harnesses that use vm2 and spawn interpreter subprocesses to validate sandbox isolation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "process" AS process_name,
  "parentprocess" AS parent_process,
  "commandline" AS command_line,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'Sysmon')
  AND (
    ("parentprocess" ILIKE '%node%' OR "process" ILIKE '%node%')
    AND (
      "commandline" ILIKE '%vm2%'
      OR "commandline" ILIKE '%nesting%true%'
    )
    AND (
      "commandline" ILIKE '%child\_process%'
      OR "commandline" ILIKE '%execSync%'
      OR "commandline" ILIKE '%spawnSync%'
      OR "process" ILIKE '%sh%'
      OR "process" ILIKE '%bash%'
      OR "process" ILIKE '%cmd.exe%'
      OR "process" ILIKE '%powershell%'
    )
  )
  AND LOGSOURCETIME(starttime) > NOW() - 7 DAYS
ORDER BY starttime DESC
LIMIT 1000

QRadar AQL query correlating Windows and Linux process events to detect Node.js processes invoking vm2 with nesting options and subsequently spawning shell interpreters, consistent with CVE-2026-47137 exploitation.

critical severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log Linux syslog Sysmon

Required Tables

events

False Positives

Enterprise Node.js applications sandboxing plugin execution via vm2 that legitimately spawn subprocesses for data processing
DevOps toolchains using vm2 for isolated script evaluation in CI pipelines
Monitoring agents built on Node.js that use vm2 and make outbound connections to metrics endpoints

Sumo Logic CSE

sql

_sourceCategory=*linux* OR _sourceCategory=*windows* OR _sourceCategory=*node* OR _sourceCategory=*sysmon*
| parse regex "(?i)(?P<process_name>node(?:\.exe)?)" nodrop
| parse regex "(?i)(?P<vm2_ref>vm2|nesting[\s:=]+true|sandbox)" nodrop
| parse regex "(?i)(?P<shell_spawn>child_process|execSync|spawnSync|execFileSync|/bin/sh|bash -c|cmd\.exe|powershell)" nodrop
| where !isNull(process_name) AND !isNull(vm2_ref) AND !isNull(shell_spawn)
| timeslice 5m
| stats count AS event_count, last(_raw) AS sample_log, values(_sourceHost) AS hosts
    BY _timeslice, process_name, vm2_ref, shell_spawn
| where event_count >= 1
| sort by _timeslice desc
| fields _timeslice, hosts, process_name, vm2_ref, shell_spawn, event_count, sample_log

Sumo Logic query extracting Node.js, vm2, and shell-spawn indicators from Linux/Windows/Sysmon log sources to surface CVE-2026-47137 exploitation activity via pattern matching and correlation.

critical severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Linux syslog collector Windows Event Log collector Sysmon collector

Required Tables

_sourceCategory=*linux* _sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Node.js-based workflow engines using vm2 for sandboxed task execution that legitimately shell out to system utilities
API gateways using vm2 to isolate tenant code with expected outbound service calls
Development environments running vm2 in watch mode alongside shell-based build tools

Google Chronicle / SecOps

yaral

rule cve_2026_47137_vm2_sandbox_escape {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-47137 vm2 nesting:true sandbox escape leading to RCE"
    severity = "CRITICAL"
    confidence = "HIGH"
    mitre_attack = "T1059, T1055, T1068"
    cve = "CVE-2026-47137"

  events:
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.target.process.file.full_path = /(?i)node(\.exe)?$/
    (
      $e1.target.process.command_line = /(?i)vm2/
      or $e1.target.process.command_line = /(?i)nesting[\s:=]+true/
    )
    $e1.principal.hostname = $host

    $e2.metadata.event_type = "PROCESS_LAUNCH"
    $e2.principal.hostname = $host
    $e2.principal.process.file.full_path = /(?i)node(\.exe)?$/
    (
      $e2.target.process.file.full_path = /(?i)(sh|bash|dash|zsh|cmd\.exe|powershell(\.exe)?)$/
      or $e2.target.process.command_line = /(?i)(child_process|execSync|spawnSync|execFileSync)/
    )

  match:
    $host over 2m

  condition:
    $e1 and $e2
}

Chronicle YARA-L 2.0 rule correlating Node.js process launches referencing vm2 or nesting:true with subsequent shell spawning within a two-minute window on the same host, detecting CVE-2026-47137 exploitation.

critical severity high confidence

Data Sources

Google Chronicle SIEM Google Workspace Endpoint telemetry via Chronicle forwarder

Required Tables

UDM events with PROCESS_LAUNCH type

False Positives

Legitimate server-side rendering engines using vm2 for template sandboxing that spawn shell scripts for asset compilation
Cloud Functions or similar FaaS environments built on Node.js with vm2 isolation layers
Internal tooling platforms that sandbox user-submitted Node.js snippets and call system utilities for resource management

CrowdStrike LogScale (CQL)

cql

event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2, NetworkConnectIP4)
| filter ParentBaseFileName IN ("node", "node.exe", "nodejs")
  AND (
    CommandLine LIKE "%vm2%"
    OR CommandLine LIKE "%nesting%true%"
    OR CommandLine LIKE "%nesting:true%"
  )
| filter
  (
    FileName IN ("sh", "bash", "dash", "zsh", "cmd.exe", "powershell.exe", "pwsh.exe")
    OR CommandLine LIKE "%child_process%"
    OR CommandLine LIKE "%execSync%"
    OR CommandLine LIKE "%spawnSync%"
    OR CommandLine LIKE "%execFileSync%"
    OR (event_simpleName = "NetworkConnectIP4" AND NOT RemoteAddressIP4 IN ("127.0.0.1", "::1"))
  )
| groupby([ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, RemoteAddressIP4, RemotePort])
| stats count() AS event_count BY ComputerName, UserName, FileName, CommandLine
| sort event_count desc

CrowdStrike Falcon CQL detecting vm2 sandbox escape activity by correlating Node.js parent processes with vm2 command-line references followed by shell spawning or external network connections in the Falcon process telemetry.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon Intelligence

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NetworkConnectIP4

False Positives

Node.js application servers using vm2 for plugin sandboxing with normal outbound API integrations
Automated scanning tools that enumerate npm packages including vm2 and initiate network checks
Container orchestration workloads where Node.js with vm2 runs alongside legitimate shell-based health check scripts

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-47137 CVE-2026-47137 — vm2 Sandbox Escape via nesting:true Bypass (RCE)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-47137

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox