CVE-2026-47140 CrowdStrike LogScale · LogScale

Detect CVE-2026-47140 — vm2 Builtin Denylist Bypass via process/inspector Leads to Host RCE in CrowdStrike LogScale

Detects exploitation of CVE-2026-47140, a critical sandbox escape in the npm vm2 package (versions <= 3.11.3). Attackers bypass the builtin module denylist using process and inspector/promises references to execute arbitrary code on the host Node.js process. CVSS 10.0. PoC is publicly available.

MITRE ATT&CK

Tactic
Execution Privilege Escalation Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName=/node(\.exe)?$/i
| CommandLine=/(vm2|NodeVM|new\s+VM)/i
| join type=inner (
    #event_simpleName=NetworkConnectIP4
    | RemoteAddressIP4!=/^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
    | stats count() AS ext_connections, values(RemoteAddressIP4) AS remote_ips BY TargetProcessId, ComputerName
  ) ON TargetProcessId=ProcessId AND ComputerName
| eval risk_level=if(ext_connections > 5, "critical", if(ext_connections > 1, "high", "medium"))
| fields ComputerName, UserName, ProcessId, CommandLine, ext_connections, remote_ips, risk_level
| sort -ext_connections
critical severity high confidence

CrowdStrike Falcon CQL query correlating Node.js processes invoking vm2 with external network connections, flagging potential exploitation of CVE-2026-47140.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike Falcon Insight XDR

Required Tables

ProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • Legitimate Node.js services using vm2 for sandboxing with required outbound connectivity
  • Automated testing pipelines on endpoints that run vm2-based tests with network access
  • Developer machines where vm2 is installed globally and used with external service calls
  • Security tooling that uses vm2 for sandboxed payload detonation with external reporting

Other platforms for CVE-2026-47140

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vm2 Sandbox Escape via inspector/promises — Host Code Execution

    Expected signal: Sysmon/auditd will log: (1) node process launch with vm2 in path or arguments, (2) file creation event at /tmp/vm2_escape_poc.txt by the node process, (3) a child process or execSync call spawning sh/bash from within node

  2. Test 2vm2 Escape with Outbound Network Callback (Simulated C2 Beacon)

    Expected signal: Network flow logs will show an outbound HTTP connection to example.com originating from the node process PID. EDR should capture the network connect event and correlate it to the parent node process with vm2 in its command line.

  3. Test 3vm2 Escape via process.binding — Enumerate Host Environment Secrets

    Expected signal: File write event at /tmp/vm2_env_harvest.json attributed to node process. Process event showing node with potential vm2-related arguments. EDR may also capture the internal environment variable enumeration if it hooks process.env access.

Last updated: 2026-06-20 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-47140 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege EscalationTA0008Lateral Movement

Related Techniques

T1059.007JavaScriptT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1552.001Credentials In Files

Same Tactic: Execution

Popular Detections