Detect Pheditor OS Command Injection via Unsanitized 'dir' Parameter (CVE-2026-48030) in Sumo Logic CSE
Detects exploitation of CVE-2026-48030, a critical OS command injection vulnerability in Pheditor versions 2.0.1 through 2.0.3. The terminal handler accepts an unsanitized 'dir' parameter that is passed directly to a shell command, allowing unauthenticated or authenticated attackers to execute arbitrary OS commands on the hosting server. A public proof-of-concept exists, making active exploitation likely.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=web/access OR _sourceCategory=linux/audit
| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "\"(?:GET|POST|PUT)\s+(?P<request_uri>[^\s]+)" nodrop
| parse regex "execve\(\"(?P<executed_binary>[^\"]+)\"" nodrop
| parse regex "\"(?P<process_args>[^\"]+)\"" nodrop
| where request_uri matches "*pheditor*" or request_uri matches "*terminal*"
| where (
request_uri matches "*dir=*%26*" or
request_uri matches "*dir=*%7C*" or
request_uri matches "*dir=*%3B*" or
request_uri matches "*dir=*whoami*" or
request_uri matches "*dir=*wget*" or
request_uri matches "*dir=*curl*" or
request_uri matches "*dir=*bash*" or
request_uri matches "*dir=*sh+-c*" or
request_uri matches "*dir=*python*-c*" or
request_uri matches "*dir=*`*"
)
| eval injection_detected = "true"
| count as hit_count by client_ip, request_uri, injection_detected
| where hit_count >= 1
| sort by hit_count desc
| fields client_ip, request_uri, hit_count, injection_detectedSumo Logic query identifying HTTP requests to Pheditor terminal endpoints with URL-encoded OS command injection payloads in the 'dir' parameter, grouping results by source IP to surface repeated exploitation attempts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Pheditor terminal usage with URL-encoded directory parameters
- Web application firewalls or proxies that re-encode legitimate requests
- Security testing suites performing automated vulnerability scanning
- Developers passing complex directory strings through the Pheditor UI
Other platforms for CVE-2026-48030
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic whoami Injection via dir Parameter
Expected signal: Web server access log entry showing request URI containing '%3B' and 'whoami'. Auditd EXECVE record for /usr/bin/whoami with parent process php-fpm or apache2 and uid matching the web server service account.
- Test 2Out-of-Band Data Exfiltration via DNS Lookup
Expected signal: DNS query from web server IP to attacker-controlled domain visible in DNS server logs and network flow data. Auditd record for nslookup or dig process spawned under web server account. NetworkConnect events from DeviceNetworkEvents to the external DNS resolver.
- Test 3Web Shell Implantation via Piped Command Chain
Expected signal: Auditd OPENAT/CREATE syscall for /var/www/html/shell.php attributed to web server service account. File creation event in EDR telemetry (DeviceFileEvents or equivalent) with InitiatingProcessFileName=php/apache2 and FileName=shell.php. Web server access log entry with %7C in the dir parameter.
- Test 4Reverse Shell via Bash TCP Redirect
Expected signal: Auditd EXECVE for bash with arguments '-i' and '/dev/tcp/ATTACKER_LAB_IP/4444' under web server parent process. Outbound TCP connection from web server to attacker lab IP on port 4444 in network flow logs. DeviceNetworkEvents entry from the EDR showing the connection establishment.
Unlock Pro Content
Get the full detection package for CVE-2026-48030 including response playbook, investigation guide, and atomic red team tests.