Detect Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) in Elastic Security
Detects exploitation of CVE-2026-48030, a critical OS command injection vulnerability in Pheditor versions 2.0.1 through 2.0.3. The terminal handler accepts an unsanitized 'dir' parameter that is passed directly to a shell command, allowing unauthenticated or authenticated attackers to execute arbitrary OS commands on the hosting server. A public proof-of-concept exists, making active exploitation likely.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=30s
[network where
process.name in ("apache2", "httpd", "nginx", "php", "php-fpm", "php-cgi") and
(http.request.uri.path : "*pheditor*" or http.request.uri.query : "*dir=*") and
(
http.request.uri.query : "*%26*" or
http.request.uri.query : "*%7C*" or
http.request.uri.query : "*%3B*" or
http.request.uri.query : "*whoami*" or
http.request.uri.query : "*wget*" or
http.request.uri.query : "*curl*" or
http.request.uri.query : "*bash*" or
http.request.uri.query : "*sh+-c*" or
http.request.uri.query : "*$(*)" or
http.request.uri.query : "*`*"
)
]
[process where
process.parent.name in ("apache2", "httpd", "nginx", "php", "php-fpm", "php-cgi", "www-data") and
process.name in ("sh", "bash", "dash", "ash", "zsh", "python", "python3", "perl", "ruby", "nc", "ncat", "wget", "curl", "id", "whoami", "uname") and
not process.command_line : "*-t mime*"
]EQL sequence rule correlating inbound HTTP requests to the Pheditor terminal endpoint containing injection metacharacters with subsequent shell or utility process spawned under the web server process hierarchy within a 30-second window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative use of Pheditor terminal in development environments where developers run common tools
- Monitoring agents that spawn shell commands from the web server account for health checks
- Application frameworks that legitimately execute shell utilities via PHP proc_open or similar functions
- Encoding of benign directory paths that trigger metacharacter pattern matches
Other platforms for CVE-2026-48030
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic whoami Injection via dir Parameter
Expected signal: Web server access log entry showing request URI containing '%3B' and 'whoami'. Auditd EXECVE record for /usr/bin/whoami with parent process php-fpm or apache2 and uid matching the web server service account.
- Test 2Out-of-Band Data Exfiltration via DNS Lookup
Expected signal: DNS query from web server IP to attacker-controlled domain visible in DNS server logs and network flow data. Auditd record for nslookup or dig process spawned under web server account. NetworkConnect events from DeviceNetworkEvents to the external DNS resolver.
- Test 3Web Shell Implantation via Piped Command Chain
Expected signal: Auditd OPENAT/CREATE syscall for /var/www/html/shell.php attributed to web server service account. File creation event in EDR telemetry (DeviceFileEvents or equivalent) with InitiatingProcessFileName=php/apache2 and FileName=shell.php. Web server access log entry with %7C in the dir parameter.
- Test 4Reverse Shell via Bash TCP Redirect
Expected signal: Auditd EXECVE for bash with arguments '-i' and '/dev/tcp/ATTACKER_LAB_IP/4444' under web server parent process. Outbound TCP connection from web server to attacker lab IP on port 4444 in network flow logs. DeviceNetworkEvents entry from the EDR showing the connection establishment.
Unlock Pro Content
Get the full detection package for CVE-2026-48030 including response playbook, investigation guide, and atomic red team tests.