{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nmcli/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["networkmanager","nmcli"],"_cs_severities":["high"],"_cs_tags":["command-injection","linux","networkmanager"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003esysteminformation\u003c/code\u003e library is vulnerable to a command injection flaw affecting Linux systems. The vulnerability exists within the \u003ccode\u003enetworkInterfaces()\u003c/code\u003e function, specifically when handling active NetworkManager connection profile names. If a NetworkManager connection profile name contains shell metacharacters, the library fails to sanitize the input before using it in shell commands. This allows an attacker who can create or rename an active NetworkManager connection profile to inject and execute arbitrary shell commands with the privileges of the Node.js process using the \u003ccode\u003esysteminformation\u003c/code\u003e library. This vulnerability was validated against real NetworkManager and nmcli. Successful exploitation allows for local privilege escalation if the Node.js process is running with elevated privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates or modifies a NetworkManager connection profile with a malicious name containing shell metacharacters (e.g., \u003ccode\u003ename$(...)\u003c/code\u003e, \u003ccode\u003ename\u0026quot;; ...; #\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe crafted NetworkManager profile is activated via \u003ccode\u003enmcli connection up \u0026lt;malicious_profile_name\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA Node.js application uses the \u003ccode\u003esysteminformation\u003c/code\u003e library and calls the \u003ccode\u003enetworkInterfaces()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetworkInterfaces()\u003c/code\u003e executes \u003ccode\u003enmcli device status\u003c/code\u003e to retrieve network interface information, including the connection name.\u003c/li\u003e\n\u003cli\u003eThe library parses the \u003ccode\u003econnectionName\u003c/code\u003e from the output of \u003ccode\u003enmcli device status\u003c/code\u003e without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003econnectionName\u003c/code\u003e is interpolated into shell commands executed via \u003ccode\u003eexecSync()\u003c/code\u003e in \u003ccode\u003egetLinuxIfaceDHCPstatus()\u003c/code\u003e, \u003ccode\u003egetLinuxIfaceDNSsuffix()\u003c/code\u003e, and \u003ccode\u003egetLinuxIfaceIEEE8021xAuth()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands are executed with the privileges of the Node.js process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system with the privileges of the Node.js process using the \u003ccode\u003esysteminformation\u003c/code\u003e library. This could lead to local privilege escalation if the Node.js process is running with elevated privileges. Affected deployments include local inventory agents, monitoring agents, diagnostics tools, admin dashboard backends collecting host information, and privileged local desktop or device-management agents. If such a process runs with elevated privileges, the injected command executes with those same elevated privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement input sanitization or, preferably, avoid shell interpolation entirely by using \u003ccode\u003eexecFileSync()\u003c/code\u003e or \u003ccode\u003espawnSync()\u003c/code\u003e with argument arrays as recommended in the advisory. This mitigates the command injection vulnerability in \u003ccode\u003elib/network.js\u003c/code\u003e (specifically lines 620, 660, and 676).\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious NetworkManager connection profile modifications, specifically looking for profile names containing shell metacharacters as part of a broader strategy to detect command injection attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect exploitation attempts by monitoring for \u003ccode\u003enmcli\u003c/code\u003e commands with connection names containing shell metacharacters in process execution logs.\u003c/li\u003e\n\u003cli\u003eAudit Node.js applications using \u003ccode\u003esysteminformation\u003c/code\u003e on Linux systems and prioritize patching or implementing the suggested mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:30:15Z","date_published":"2026-05-13T15:30:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-systeminformation-nm-injection/","summary":"The systeminformation library is vulnerable to command injection on Linux systems due to unsanitized NetworkManager connection profile names, allowing attackers to execute arbitrary shell commands via a crafted profile when `networkInterfaces()` is called.","title":"Systeminformation Library Vulnerable to Command Injection via NetworkManager Profile Name","url":"https://feed.craftedsignal.io/briefs/2026-05-systeminformation-nm-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Nmcli","version":"https://jsonfeed.org/version/1.1"}