CVE-2026-47210 Microsoft Sentinel · KQL

Detect vm2 Sandbox Escape via JSPI-backed Promise .finally() Species Bypass in Microsoft Sentinel

Detects exploitation of CVE-2026-47210, a critical sandbox escape vulnerability in the npm vm2 library (versions <= 3.11.3). The vulnerability abuses the JavaScript Promise Integration (JSPI) mechanism and the Promise species pattern in .finally() to escape the vm2 sandbox and execute arbitrary code on the host. A public PoC exists and exploitation grants full host access with the privileges of the Node.js process.

MITRE ATT&CK

Tactic
Execution Privilege Escalation

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let suspiciousArgs = dynamic(['finally', 'species', 'Promise', 'constructor', 'process', 'require', 'child_process']);
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(24h)
| where FileName in~ ('node', 'node.exe') or InitiatingProcessFileName in~ ('node', 'node.exe')
| extend CmdLower = tolower(ProcessCommandLine)
| where CmdLower has_any ('vm2', 'sandbox') 
    or (InitiatingProcessCommandLine has 'vm2' and CmdLower has_any ('exec', 'spawn', 'fork', 'require'))
| extend SuspiciousIndicators = array_length(set_intersect(dynamic(['vm2']), extract_all(@'(\w+)', CmdLower)))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, FolderPath
| join kind=leftouter (
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where InitiatingProcessFileName in~ ('node', 'node.exe')
    | where FolderPath !startswith 'C:\\Program Files'
    | where FolderPath !startswith '/usr/'
    | project FileTimestamp=Timestamp, DeviceName, CreatedFilePath=FolderPath, InitiatingProcessFileName
) on DeviceName
| where isnotempty(DeviceName)
| summarize count(), FileCreations=countif(isnotempty(CreatedFilePath)), arg_max(Timestamp, *) by DeviceName, AccountName, ProcessCommandLine
| where count_ > 0
critical severity medium confidence

Detects Node.js processes associated with vm2 that subsequently spawn child processes or create files outside expected paths, indicative of a sandbox escape. Also correlates vm2 usage with unexpected process execution chains.

Data Sources

Microsoft Defender for EndpointMicrosoft Sentinel

Required Tables

DeviceProcessEventsDeviceNetworkEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate Node.js applications using vm2 for sandboxed script execution in development environments
  • Security researchers testing vm2-based sandboxes in lab environments
  • CI/CD pipelines running vm2-dependent test suites that spawn child processes legitimately
  • Node.js debuggers and profiling tools that attach to vm2-using processes

Other platforms for CVE-2026-47210

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1vm2 JSPI Species Bypass — Host Process Execution via Promise.finally

    Expected signal: Process creation event: node spawning child process (sh -c 'id > /tmp/vm2_escape_test.txt') or direct execSync call visible in process audit logs. File creation event for /tmp/vm2_escape_test.txt by the node process.

  2. Test 2vm2 Sandbox Escape — Environment Variable Exfiltration

    Expected signal: Node.js process accessing environment variables in a vm2 run context. Application-layer logging may show unexpected JSON serialization of env object. No child process is spawned, so EDR process-tree signals may not fire — rely on vm2 audit logging if enabled.

  3. Test 3vm2 Version Audit and Vulnerable Instance Discovery

    Expected signal: Process creation events for find and node commands reading package.json files. File access events on node_modules directories. No malicious activity — this is a discovery/audit test.

  4. Test 4vm2 Sandbox Escape on Windows — Host Command Execution via species bypass

    Expected signal: Windows Security Event Log (Event ID 4688) showing node.exe creating a child process (cmd.exe or conhost.exe). EDR telemetry showing process tree: node.exe -> cmd.exe with whoami command. File creation event for C:\Temp\vm2_escape.txt.

Last updated: 2026-06-21 Research depth: standard
References (5)

Unlock Pro Content

Get the full detection package for CVE-2026-47210 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1059.007JavaScriptT1055Process InjectionT1552.001Credentials In Files

Same Tactic: Execution

Popular Detections