CVE-2026-48030 Splunk · SPL

Detect Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) in Splunk

Detects exploitation of CVE-2026-48030, a critical OS command injection vulnerability in Pheditor versions 2.0.1 through 2.0.3. The terminal handler accepts an unsanitized 'dir' parameter that is passed directly to a shell command, allowing unauthenticated or authenticated attackers to execute arbitrary OS commands on the hosting server. A public proof-of-concept exists, making active exploitation likely.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation Lateral Movement

SPL Detection Query

Splunk (SPL)
spl 
index=web OR index=os sourcetype IN ("access_combined", "apache_access", "nginx:access", "iis", "linux_audit", "syslog", "auditd")
| eval is_pheditor_request = if(match(uri_path, "(?i)pheditor") OR match(uri_query, "(?i)(dir=|terminal)"), 1, 0)
| eval has_injection_chars = if(match(uri_query, "(?i)(%26|%7C|%3B|%60|\$\(|&&|\|\||;)") OR match(uri_query, "(?i)(whoami|id%20|uname|passwd|wget|curl|bash|sh%20-c|python.*-c|chmod|/tmp/)"), 1, 0)
| where is_pheditor_request=1 OR has_injection_chars=1
| eval combined_indicator = if(is_pheditor_request=1 AND has_injection_chars=1, "HIGH_CONFIDENCE", if(is_pheditor_request=1 OR has_injection_chars=1, "MEDIUM_CONFIDENCE", "LOW_CONFIDENCE"))
| join type=left clientip [
    search index=os sourcetype IN ("linux_audit", "auditd", "syslog") "execve"
    | rex field=_raw "execve\(\"(?P<executed_cmd>[^\"]+)\""
    | eval suspicious_cmd = if(match(executed_cmd, "(?i)(whoami|id$|uname|cat\s+/etc|wget\s+http|curl\s+http|bash\s+-[ic]|sh\s+-c|nc\s+-|ncat|chmod)"), 1, 0)
    | where suspicious_cmd=1
    | stats count as cmd_count, values(executed_cmd) as executed_commands by src_ip
    | rename src_ip as clientip
]
| where combined_indicator="HIGH_CONFIDENCE" OR (combined_indicator="MEDIUM_CONFIDENCE" AND cmd_count > 0)
| table _time, clientip, uri_path, uri_query, status, combined_indicator, executed_commands, cmd_count
| eval alert_name="CVE-2026-48030 Pheditor Command Injection Suspected"
critical severity high confidence

Correlates web access logs for Pheditor terminal handler requests containing injection metacharacters with OS-level audit events showing suspicious process execution from the web server account, providing high-fidelity exploitation detection.

Data Sources

Web server access logsLinux auditdSyslog

Required Sourcetypes

access_combinedapache_accessnginx:accesslinux_auditauditd

False Positives & Tuning

  • Developers legitimately using Pheditor's terminal to navigate directories with special characters in path names
  • URL-encoded directory paths that superficially resemble injection payloads
  • Security testing tools scanning the application surface area
  • Automated backup or monitoring scripts that invoke the Pheditor API programmatically

Other platforms for CVE-2026-48030

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic whoami Injection via dir Parameter

    Expected signal: Web server access log entry showing request URI containing '%3B' and 'whoami'. Auditd EXECVE record for /usr/bin/whoami with parent process php-fpm or apache2 and uid matching the web server service account.

  2. Test 2Out-of-Band Data Exfiltration via DNS Lookup

    Expected signal: DNS query from web server IP to attacker-controlled domain visible in DNS server logs and network flow data. Auditd record for nslookup or dig process spawned under web server account. NetworkConnect events from DeviceNetworkEvents to the external DNS resolver.

  3. Test 3Web Shell Implantation via Piped Command Chain

    Expected signal: Auditd OPENAT/CREATE syscall for /var/www/html/shell.php attributed to web server service account. File creation event in EDR telemetry (DeviceFileEvents or equivalent) with InitiatingProcessFileName=php/apache2 and FileName=shell.php. Web server access log entry with %7C in the dir parameter.

  4. Test 4Reverse Shell via Bash TCP Redirect

    Expected signal: Auditd EXECVE for bash with arguments '-i' and '/dev/tcp/ATTACKER_LAB_IP/4444' under web server parent process. Outbound TCP connection from web server to attacker lab IP on port 4444 in network flow logs. DeviceNetworkEvents entry from the EDR showing the connection establishment.

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-48030 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege EscalationTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web ShellT1083File and Directory Discovery

Same Tactic: Execution

Popular Detections