CVE-2026-48062 Sumo Logic CSE · Sumo

Detect CVE-2026-48062: CodeIgniter4 File Upload Extension Validation Bypass (ext_in Rule) in Sumo Logic CSE

CVE-2026-48062 affects CodeIgniter4 framework versions prior to 4.7.2. The `ext_in` validation rule fails to properly validate file extensions during upload, allowing attackers to bypass extension restrictions and upload arbitrary files including web shells or malicious executables. This unrestricted file upload vulnerability (CWE-434) has a CVSS score of 9.8 and a public proof-of-concept. Successful exploitation can lead to remote code execution on the hosting server.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/access OR _sourceCategory=linux/syslog
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) .* \"(?<method>POST|PUT) (?<uri>[^\"]+)\" (?<status>\d{3})"
| where method in ("POST", "PUT")
| where uri matches "*upload*" or uri matches "*writable*" or uri matches "*public*"
| where uri matches "*.php" or uri matches "*.phtml" or uri matches "*.phar" or uri matches "*.php5" or uri matches "*.php7" or uri matches "*.shtml"
| where status in ("200", "201", "204")
| timeslice 1h
| count by _timeslice, src_ip, uri, status
| order by _count desc
critical severity medium confidence

Sumo Logic query correlating successful (2xx) HTTP POST/PUT requests uploading PHP-family script files to web upload directories, filtering for confirmed successful uploads that may indicate CodeIgniter4 ext_in exploitation.

Data Sources

Web server access logsApplication logsLinux syslog

Required Tables

web/accesslinux/syslog

False Positives & Tuning

  • Legitimate CMS platforms that allow PHP plugin uploads through authenticated admin interfaces
  • Automated deployment tools with service accounts uploading application files
  • Development environments where PHP files are routinely uploaded for testing
  • CDN or proxy log forwarding creating duplicate entries with POST methods

Other platforms for CVE-2026-48062

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate CodeIgniter4 ext_in Bypass via Crafted Multipart Upload

    Expected signal: HTTP POST to upload endpoint with Content-Type image/jpeg but .php file extension; file creation event in upload directory for a .php file; web server process as the initiating process for the file write

  2. Test 2Web Shell Execution Verification After Upload

    Expected signal: HTTP GET requests to PHP file path in upload directory; process tree showing web server (apache2/nginx/php-fpm) spawning shell or system binaries (id, whoami, uname); network connections to external IP if reverse shell payload used

  3. Test 3Filesystem Reconnaissance via Uploaded Web Shell

    Expected signal: Process events for cat, ls, find spawned by php-fpm or apache2 with web server UID; file read events on /etc/passwd and .env files initiated by web server process; auditd SYSCALL records for execve by www-data user

Last updated: 2026-06-21 Research depth: standard
References (6)

Unlock Pro Content

Get the full detection package for CVE-2026-48062 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059.004Unix Shell

Same Tactic: Initial Access

Popular Detections