CVE-2026-47208 IBM QRadar · QRadar

Detect CVE-2026-47208: vm2 Sandbox Breakout via Promise Species in IBM QRadar

Detects exploitation of CVE-2026-47208, a critical sandbox escape vulnerability in the vm2 Node.js library (versions <= 3.11.3). Attackers can abuse the Promise species pattern to break out of the vm2 sandbox and execute arbitrary code on the host. This vulnerability has a CVSS score of 10.0 and a public PoC is available.

MITRE ATT&CK

Tactic
Execution Privilege Escalation Lateral Movement

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name",
  "Command",
  "Parent Process Name",
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux OS', 'Sysmon')
  AND (
    (
      LOWER("Process Name") LIKE '%node%'
      AND (
        LOWER("Command") LIKE '%vm2%'
        OR LOWER("Command") LIKE '%symbol.species%'
        OR LOWER("Command") LIKE '%__proto__%'
      )
    )
    OR (
      LOWER("Parent Process Name") LIKE '%node%'
      AND LOWER("Process Name") IN ('sh', 'bash', 'cmd.exe', 'powershell.exe', 'python', 'python3', 'wget', 'curl', 'perl')
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query to detect vm2 sandbox breakout via Promise species exploitation. Looks for Node.js processes with vm2 or prototype-chain manipulation arguments, and unexpected child shells spawned from Node.js.

Data Sources

IBM QRadarWindows Security Event LogLinux OS logsSysmon

Required Tables

events

False Positives & Tuning

  • Node.js web servers using vm2 for plugin sandboxing that spawn legitimate shell commands
  • Automated deployment pipelines involving Node.js and shell scripting
  • Security scanning tools that analyze vm2 packages and trigger process events
  • Development servers with loose process spawning patterns

Other platforms for CVE-2026-47208

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vm2 Promise Species Sandbox Escape - Basic PoC

    Expected signal: EDR should record: node process executing with command line containing vm2 and Promise/species keywords; file write event to /tmp/vm2_escape_proof.txt from the node process.

  2. Test 2vm2 Sandbox Escape with Child Process Spawn

    Expected signal: EDR process tree: node.exe spawning bash as child process. Sysmon Event ID 1 or auditd EXECVE records showing parent process as node and child as bash with the -c flag.

  3. Test 3Vulnerable vm2 Version Inventory Check

    Expected signal: File read events for package.json files under node_modules/vm2/ paths. The find command execution and subsequent node invocations should appear in process telemetry.

Last updated: 2026-06-20 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-47208 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege EscalationTA0008Lateral Movement

Related Techniques

T1059.007JavaScriptT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Execution

Popular Detections