FKIE_CVE-2026-28279

Vulnerability from fkie_nvd - Published: 2026-02-26 23:16 - Updated: 2026-02-28 01:17
Severity ?
7.3 (High) - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.
References
security-advisories@github.comhttps://github.com/jmpsec/osctrl/pull/777Issue Tracking, Patch
security-advisories@github.comhttps://github.com/jmpsec/osctrl/pull/780Issue Tracking, Patch
security-advisories@github.comhttps://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rmVendor Advisory, Mitigation
Impacted products
Vendor Product Version
jmpsec osctrl *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jmpsec:osctrl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCE1BE74-A736-44A6-ABC7-D1D48E7A0EA5",
              "versionEndExcluding": "0.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts generated using Go\u0027s `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands."
    },
    {
      "lang": "es",
      "value": "osctrl es una soluci\u00f3n de gesti\u00f3n de osquery. Antes de la versi\u00f3n 0.5.0, existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en la configuraci\u00f3n del entorno de `osctrl-admin`. Un administrador autenticado puede inyectar comandos de shell arbitrarios a trav\u00e9s del par\u00e1metro de nombre de host al crear o editar entornos. Estos comandos se incrustan en scripts de una sola l\u00ednea de inscripci\u00f3n generados usando el paquete `text/template` de Go (que no realiza el escape de shell) y se ejecutan en cada punto final que se inscribe usando el entorno comprometido. Un atacante con acceso de administrador puede lograr la ejecuci\u00f3n remota de c\u00f3digo en cada punto final que se inscribe usando el entorno comprometido. Los comandos se ejecutan como root/SYSTEM (el nivel de privilegio utilizado para la inscripci\u00f3n de osquery) antes de que se instale osquery, sin dejar rastro de auditor\u00eda a nivel de agente. Esto permite la instalaci\u00f3n de puertas traseras, la exfiltraci\u00f3n de credenciales y el compromiso total del punto final. Esto se corrige en osctrl `v0.5.0`. Como soluci\u00f3n alternativa, restrinja el acceso de administrador de osctrl a personal de confianza, revise las configuraciones de entorno existentes en busca de nombres de host sospechosos y/o monitoree los scripts de inscripci\u00f3n en busca de comandos inesperados."
    }
  ],
  "id": "CVE-2026-28279",
  "lastModified": "2026-02-28T01:17:13.797",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-26T23:16:37.567",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/jmpsec/osctrl/pull/777"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/jmpsec/osctrl/pull/780"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/jmpsec/osctrl/security/advisories/GHSA-rchw-322g-f7rm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.