CVE-2026-47668 Splunk · SPL

Detect CVE-2026-47668: DbGate Unauthenticated RCE via JSON Script Runner in Splunk

Detects exploitation of CVE-2026-47668, a critical unauthenticated remote code execution vulnerability in dbgate-serve <= 7.1.8. The JSON Script Runner endpoint accepts and executes arbitrary JavaScript/JSON payloads without authentication, allowing attackers to achieve full server compromise. A public PoC is available.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Impact

SPL Detection Query

Splunk (SPL)
spl 
index=web OR index=proxy OR index=iis sourcetype=access_combined OR sourcetype=iis OR sourcetype=nginx:access
| search (uri_path="*/script/run*" OR uri_path="*/script/execute*" OR uri_path="*/run-script*" OR uri_path="*/api/script*") method=POST
| eval auth_header=if(isnull(cs_Authorization) OR cs_Authorization="-" OR cs_Authorization="", "none", cs_Authorization)
| where auth_header="none"
| eval status_code=coalesce(status, sc_status)
| stats count AS request_count, earliest(_time) AS first_seen, latest(_time) AS last_seen, values(uri_path) AS paths_accessed, values(status_code) AS response_codes BY src_ip, http_user_agent
| eval risk=case(request_count>10, "critical", request_count>3, "high", true(), "medium")
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| table first_seen, last_seen, src_ip, request_count, paths_accessed, response_codes, risk, http_user_agent
| sort -request_count
critical severity high confidence

Detects unauthenticated POST requests to dbgate script runner endpoints via web/proxy/IIS logs. Aggregates by source IP to identify scanning and exploitation attempts.

Data Sources

Web proxy logsIIS logsNginx access logsApache access logs

Required Sourcetypes

access_combinediisnginx:accessapache:access

False Positives & Tuning

  • Legitimate internal API calls from trusted internal networks using the script runner without HTTP auth headers
  • Development and staging environments where dbgate runs without authentication by design
  • Authorized penetration testing or red team exercises

Other platforms for CVE-2026-47668

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47668 PoC — Unauthenticated Script Execution via curl

    Expected signal: HTTP POST to /script/run with JSON body containing require('child_process'); Node.js spawns a child process (execve syscall with ppid=node); file /tmp/pwned.txt created by node process user

  2. Test 2CVE-2026-47668 — Reverse Shell Payload via Script Runner

    Expected signal: Node.js spawns /bin/sh child process; outbound TCP connection from node process to ATTACKER_IP:4444 visible in netflow and EDR network telemetry

  3. Test 3CVE-2026-47668 — Version Fingerprinting and Endpoint Discovery

    Expected signal: Multiple GET and POST requests to dbgate host from single source IP in short succession; POST to /script/run with simple JS payload; file write event from node process

Last updated: 2026-06-21 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-47668 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.007JavaScriptT1203Exploitation for Client Execution

Same Tactic: Initial Access

Popular Detections