CVE-2026-47429 Microsoft Sentinel · KQL

Detect CVE-2026-47429: Vitest UI Server Arbitrary File Read and Execution in Microsoft Sentinel

CVE-2026-47429 is a critical missing authorization vulnerability (CWE-862, CVSS 9.8) in the Vitest UI server. When the Vitest UI server is listening, unauthenticated remote attackers can read arbitrary files from the filesystem and execute arbitrary code. Affected versions include Vitest < 3.2.6 and >= 4.0.0, < 4.1.0. A public proof-of-concept exists. Exploitation typically involves sending crafted WebSocket or HTTP requests to the Vitest UI server's RPC endpoint to traverse the filesystem or trigger code execution via the browser plugin's file system command handlers.

MITRE ATT&CK

Tactic
Initial Access Credential Access Execution

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let VitestPorts = dynamic([51204, 51205, 5173, 5174, 4173]);
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (
    (ActionType == "InboundConnectionAccepted" and LocalPort in (VitestPorts))
    or
    (FileName in~ ("node", "node.exe") and ProcessCommandLine has_any ("vitest", "--ui", "vitest/ui"))
  )
| extend IsVitestUI = ProcessCommandLine has "--ui" or ProcessCommandLine has "vitest ui"
| join kind=leftouter (
    DeviceFileEvents
    | where TimeGenerated > ago(24h)
    | where InitiatingProcessFileName in~ ("node", "node.exe")
    | where FolderPath !startswith "C:\\Users" or FolderPath has_any (".env", "id_rsa", "passwd", "shadow", "/etc/")
    | project FileAccessTime=TimeGenerated, DeviceId, AccessedPath=FolderPath, InitiatingProcessCommandLine
) on DeviceId
| where isnotempty(AccessedPath)
| project TimeGenerated, DeviceName, ProcessCommandLine, AccessedPath, InitiatingProcessCommandLine, LocalPort
| extend RiskScore = case(
    AccessedPath has_any (".env", "id_rsa", "id_ed25519", ".pem", "shadow", "passwd", "credentials", "secrets"), 100,
    AccessedPath has_any ("/etc/", "C:\\Windows\\System32"), 80,
    50
  )
| where RiskScore >= 50
| order by RiskScore desc
critical severity medium confidence

Detects Vitest UI server processes accepting inbound network connections and subsequently accessing sensitive files outside of normal project directories, indicative of CVE-2026-47429 exploitation via the unauthenticated RPC file system command handlers.

Data Sources

DeviceNetworkEventsDeviceProcessEventsDeviceFileEvents

Required Tables

DeviceNetworkEventsDeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate Vitest UI usage in developer environments with intentional file reads during testing
  • CI/CD pipelines running Vitest with --ui flag in isolated build containers
  • Security researchers running authorized PoC testing against Vitest installations
  • Monorepo setups where node accesses broad paths during normal test execution

Other platforms for CVE-2026-47429

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47429 - Vitest UI Arbitrary File Read via RPC

    Expected signal: Network connection from external IP to port 5173; node process file open event for /etc/passwd; WebSocket upgrade request in proxy logs

  2. Test 2CVE-2026-47429 - Vitest UI Credential File Exfiltration Simulation

    Expected signal: Sequence of file open events for multiple sensitive paths initiated by node process; multiple WebSocket messages to Vitest UI port within short timeframe

  3. Test 3CVE-2026-47429 - Vitest UI Remote Code Execution via Test Execution

    Expected signal: Child process spawned by node with shell command arguments; file creation event at /tmp/vitest-rce-proof.txt; Sysmon Event ID 1 for child process of node.exe/node

Last updated: 2026-06-21 Research depth: standard
References (8)

Unlock Pro Content

Get the full detection package for CVE-2026-47429 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0002Execution

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1059.007JavaScriptT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections