OneUptime Command Injection Flaw Enables Full Server Takeover

A critical command injection vulnerability in OneUptime, a popular platform for monitoring online services, lets authenticated users hijack Probe servers.

Tracked as CVE-2026-27728, this flaw risks complete system compromise for organizations relying on versions before 10.0.7.

Security firm SentinelOne disclosed the issue, urging immediate patching to block remote code execution (RCE).

Vulnerability Breakdown

The problem hides in OneUptime’s Probe Server component, specifically the NetworkPathMonitor.performTraceroute() function.

This handles traceroute operations using user-supplied “destination” inputs from monitor configs. The code calls Node.js’s child_process.exec(), which runs commands in a shell.

Shells parse metacharacters like ;, |, &, $(), and backticks, letting attackers escape the traceroute and inject malicious commands.

Any authenticated project user, even with basic permissions, can exploit it. They craft a monitor with a poisoned destination, such as example.com; cat /etc/passwd or $(whoami).

When the Probe processes it, the extra commands run with server privileges, enabling data theft, lateral movement, or full takeover.

CVE Detail	Description
CVE ID	CVE-2026-27728
CVSS Score	9.1 (Critical)
Affected Component	OneUptime Probe Server (NetworkPathMonitor.performTraceroute())

Attackers need only project access. They set a malicious monitor config, trigger the traceroute, and execute OS commands.

Outcomes include dumping sensitive files, installing malware, or pivoting to other systems. Probe servers often run with elevated privileges, amplifying damage in enterprise setups.

OneUptime fixed it in version 10.0.7 by swapping exec() for execFile(). This runs binaries directly with argument arrays, dodging shell interpretation and metacharacter abuse. No shell means no injection.

Mitigation Steps

• Patch Now: Update to 10.0.7 or later.
• Audit Monitors: Scan configs for odd destinations with special chars.
• Monitor Activity: Log for rogue processes, odd connections, or file changes on Probes.
• Workarounds: Isolate Probes, restrict user perms, limit network access if patching delays.

Organizations using OneUptime for uptime monitoring face high risks from insider or compromised low-priv accounts. Act fast to secure infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post OneUptime Command Injection Flaw Enables Full Server Takeover appeared first on Cyber Security News.