{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/systeminformation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["systeminformation (\u003c= 5.31.6)"],"_cs_severities":["high"],"_cs_tags":["command-injection","os-command-injection","systeminformation","nodejs","linux","exploitation"],"_cs_type":"advisory","_cs_vendors":["systeminformation"],"content_html":"\u003cp\u003eThe \u003ccode\u003esysteminformation\u003c/code\u003e Node.js library, specifically versions up to and including 5.31.6, is affected by CVE-2026-50289, a high-severity OS command injection vulnerability on Linux systems, particularly Debian/Ubuntu variants utilizing \u003ccode\u003einterfaces(5)\u003c/code\u003e. The \u003ccode\u003enetworkInterfaces()\u003c/code\u003e function insecurely handles paths specified in \u003ccode\u003esource\u003c/code\u003e directives within \u003ccode\u003e/etc/network/interfaces\u003c/code\u003e and transitively sourced files. When processing these configuration files to collect DHCP state, the library extracts paths from \u003ccode\u003esource\u003c/code\u003e lines and interpolates them, unquoted, into a shell command string executed via \u003ccode\u003eexecSync()\u003c/code\u003e. This allows an attacker capable of placing or influencing a malicious \u003ccode\u003esource\u003c/code\u003e path to inject shell metacharacters, leading to arbitrary command execution. This vulnerability presents a significant risk to applications using \u003ccode\u003esysteminformation\u003c/code\u003e as local inventory, monitoring, or admin-dashboard backends, as successful exploitation grants the attacker command execution with the privileges of the Node.js process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to write to or influence the content of \u003ccode\u003e/etc/network/interfaces\u003c/code\u003e or any file transitively \u003ccode\u003esource\u003c/code\u003ed by it. This could be a lower-privileged process, a configuration management hook, or a tool that materializes interface snippets from semi-trusted input.\u003c/li\u003e\n\u003cli\u003eThe attacker inserts a \u003ccode\u003esource\u003c/code\u003e directive into one of these configuration files, where the path contains shell metacharacters (e.g., \u003ccode\u003e/dev/null;id\u0026gt;${marker};echo\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA Node.js application, running on the vulnerable Linux system, invokes the \u003ccode\u003esysteminformation\u003c/code\u003e library's \u003ccode\u003enetworkInterfaces()\u003c/code\u003e function (or \u003ccode\u003egetStaticData()\u003c/code\u003e, \u003ccode\u003egetAllData()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetworkInterfaces()\u003c/code\u003e function on Linux calls \u003ccode\u003egetLinuxDHCPNics()\u003c/code\u003e, which in turn calls \u003ccode\u003echeckLinuxDCHPInterfaces('/etc/network/interfaces')\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003echeckLinuxDCHPInterfaces()\u003c/code\u003e, the function reads the content of the \u003ccode\u003einterfaces\u003c/code\u003e file using \u003ccode\u003ecat ${file} ...\u003c/code\u003e. The \u003ccode\u003esource\u003c/code\u003e directive's malicious path is read and passed as the \u003ccode\u003efile\u003c/code\u003e argument for a recursive call to \u003ccode\u003echeckLinuxDCHPInterfaces()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn the recursive call, the new malicious \u003ccode\u003efile\u003c/code\u003e path is unquotedly interpolated into another \u003ccode\u003ecat ${file} 2\u0026gt; /dev/null | grep 'iface\\\\|source'\u003c/code\u003e shell command.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters (\u003ccode\u003e/dev/null;id\u0026gt;${marker};echo\u003c/code\u003e for example) break out of the intended \u003ccode\u003ecat\u003c/code\u003e command, leading to the execution of arbitrary commands (e.g., \u003ccode\u003eid\u003c/code\u003e) with the privileges of the Node.js process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves command execution, potentially elevating privileges or performing further malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50289 leads to arbitrary command execution on the affected Linux system. Any process that calls \u003ccode\u003enetworkInterfaces()\u003c/code\u003e, often found in local inventory agents, monitoring and diagnostics agents, admin-dashboard backends, or device-management software, is vulnerable. If these Node.js processes run with elevated privileges (e.g., as root), the injected commands will also execute with those elevated privileges, potentially leading to full system compromise. The vulnerability is easily triggered through ordinary usage of core \u003ccode\u003esysteminformation\u003c/code\u003e APIs, making it a critical risk for systems running vulnerable versions. The attacker gains the ability to run any command, potentially installing backdoors, exfiltrating data, or disrupting services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-50289 immediately\u003c/strong\u003e: Update \u003ccode\u003esysteminformation\u003c/code\u003e to a version greater than 5.31.6 to remediate CVE-2026-50289.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor for suspicious \u003ccode\u003esh\u003c/code\u003e or \u003ccode\u003ebash\u003c/code\u003e process creations\u003c/strong\u003e: Deploy the \u003ccode\u003eDetect CVE-2026-50289 Exploitation - Suspicious Shell Execution\u003c/code\u003e Sigma rule to your SIEM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable process creation logging\u003c/strong\u003e: Ensure \u003ccode\u003eprocess_creation\u003c/code\u003e logging (e.g., Sysmon on Linux, Auditd) is enabled for Linux systems to capture shell command executions and their arguments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict write access to network configuration files\u003c/strong\u003e: Limit write permissions to \u003ccode\u003e/etc/network/interfaces\u003c/code\u003e and related directories (\u003ccode\u003e/etc/network/interfaces.d/\u003c/code\u003e) to only authorized administrators or processes to prevent attackers from injecting malicious \u003ccode\u003esource\u003c/code\u003e directives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T23:12:30Z","date_published":"2026-07-15T23:12:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-os-command-injection-systeminformation/","summary":"A high-severity OS command injection vulnerability, CVE-2026-50289, exists in the `systeminformation` Node.js library on Linux systems, allowing an attacker who can manipulate `interfaces(5)` configuration files to execute arbitrary commands with the privileges of the calling Node.js process by injecting shell metacharacters into `source` directive paths, which are then unsafely interpolated into an `execSync()` command within the `networkInterfaces()` function.","title":"OS Command Injection Vulnerability in systeminformation Library via networkInterfaces()","url":"https://feed.craftedsignal.io/briefs/2026-07-os-command-injection-systeminformation/"}],"language":"en","title":"CraftedSignal Threat Feed - Systeminformation","version":"https://jsonfeed.org/version/1.1"}