Detect CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner in Microsoft Sentinel
Detects exploitation of CVE-2026-47668, a critical unauthenticated remote code execution vulnerability in dbgate-serve <= 7.1.8. The JSON Script Runner endpoint accepts and executes arbitrary JavaScript/JSON payloads without authentication, allowing attackers to achieve full server compromise. A public PoC is available.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
KQL Detection Query
let dbgate_ports = dynamic([3000, 3001, 8080, 8443]);
let suspicious_paths = dynamic(["/script/run", "/script/execute", "/run-script", "/api/script"]);
union DeviceNetworkEvents, W3CIISLog, AzureDiagnostics
| where TimeGenerated > ago(24h)
| where (
(csUriStem has_any (suspicious_paths) and csMethod == "POST")
or (RequestUri has_any (suspicious_paths) and HttpMethod == "POST")
or (Url has_any (suspicious_paths) and RequestMethod == "POST")
)
| where (
csUserName == "-" or csUserName == "" or isempty(csUserName)
or AuthenticatedUser == "" or isempty(AuthenticatedUser)
)
| extend UserAgent = coalesce(csUserAgent, UserAgent, RequestUserAgent)
| extend SourceIP = coalesce(cIp, CallerIpAddress, ClientIP)
| project TimeGenerated, SourceIP, UserAgent, RequestPath = coalesce(csUriStem, RequestUri, Url), Method = coalesce(csMethod, HttpMethod, RequestMethod), StatusCode = coalesce(scStatus, ResultCode, HttpStatusCode)
| summarize RequestCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SourceIP, UserAgent, RequestPath
| where RequestCount >= 1
| extend RiskScore = iif(RequestCount > 5, "High", "Medium")
| project-reorder FirstSeen, LastSeen, SourceIP, RequestPath, RequestCount, RiskScore, UserAgentDetects unauthenticated POST requests to dbgate-serve script execution endpoints. Looks for requests lacking authentication headers to known script runner paths across IIS logs, Azure Diagnostics, and Defender network events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate internal tooling using the dbgate script runner API without authentication in development environments
- Automated health-check or monitoring scripts hitting the dbgate API
- Security scanners and vulnerability assessment tools performing authorized scans
Other platforms for CVE-2026-47668
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47668 PoC — Unauthenticated Script Execution via curl
Expected signal: HTTP POST to /script/run with JSON body containing require('child_process'); Node.js spawns a child process (execve syscall with ppid=node); file /tmp/pwned.txt created by node process user
- Test 2CVE-2026-47668 — Reverse Shell Payload via Script Runner
Expected signal: Node.js spawns /bin/sh child process; outbound TCP connection from node process to ATTACKER_IP:4444 visible in netflow and EDR network telemetry
- Test 3CVE-2026-47668 — Version Fingerprinting and Endpoint Discovery
Expected signal: Multiple GET and POST requests to dbgate host from single source IP in short succession; POST to /script/run with simple JS payload; file write event from node process
Unlock Pro Content
Get the full detection package for CVE-2026-47668 including response playbook, investigation guide, and atomic red team tests.