Cyber Resilience

CVE-2026-28279

High

Published: 26 February 2026

Published
26 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0090 55.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28279 is a high-severity OS Command Injection (CWE-78) vulnerability in Jmpsec Osctrl. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28279 is an OS command injection vulnerability in osctrl, an osquery management solution, affecting versions prior to 0.5.0. The flaw resides in the osctrl-admin environment configuration, where the hostname parameter used during environment creation or editing allows injection of arbitrary shell commands. These commands are embedded into enrollment one-liner scripts generated via Go's text/template package, which lacks shell escaping, leading to execution on endpoints during enrollment.

An authenticated administrator can exploit this vulnerability to achieve remote code execution on every endpoint that enrolls using the compromised environment. The injected commands execute as root or SYSTEM privileges before osquery installation, bypassing agent-level audit trails. This enables attackers to install backdoors, exfiltrate credentials, and fully compromise endpoints. Exploitation requires administrator privileges, adjacent network access, high attack complexity, and user interaction, as reflected in the CVSS v3.1 score of 7.3 (AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), and is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

The vulnerability is fixed in osctrl version 0.5.0. Advisories recommend restricting osctrl administrator access to trusted personnel, reviewing existing environment configurations for suspicious hostnames, and monitoring enrollment scripts for unexpected commands as workarounds. Details are available in the GitHub security advisory (GHSA-rchw-322g-f7rm) and related pull requests #777 and #780.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the `osctrl-admin` environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands…

more

are embedded into enrollment one-liner scripts generated using Go's `text/template` package (which does not perform shell escaping) and execute on every endpoint that enrolls using the compromised environment. An attacker with administrator access can achieve remote code execution on every endpoint that enrolls using the compromised environment. Commands execute as root/SYSTEM (the privilege level used for osquery enrollment) before osquery is installed, leaving no agent-level audit trail. This enables backdoor installation, credential exfiltration, and full endpoint compromise. This is fixed in osctrl `v0.5.0`. As a workaround, restrict osctrl administrator access to trusted personnel, review existing environment configurations for suspicious hostnames, and/or monitor enrollment scripts for unexpected commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1072 Software Deployment Tools Execution
Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network.
Why these techniques?

OS command injection into enrollment one-liner scripts (via unsanitized hostname in Go template) directly enables arbitrary Unix shell command execution on endpoints (T1059.004) and abuse of the osquery management/deployment platform to push code to all enrolling agents (T1072).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28280Same product: Jmpsec Osctrl
CVE-2024-55590Shared CWE-78
CVE-2026-45629Shared CWE-78
CVE-2026-45630Shared CWE-78
CVE-2025-34227Shared CWE-78
CVE-2026-1460Shared CWE-78
CVE-2025-22606Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2026-31386Shared CWE-78
CVE-2024-57019Shared CWE-78

Affected Assets

jmpsec
osctrl
≤ 0.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (hostname) to block OS command injection into generated enrollment scripts.

prevent

Enforces access restrictions on configuration changes, limiting the ability of authenticated administrators to inject malicious hostnames into environments.

prevent

Limits privileges of administrator accounts so that only trusted personnel can create or modify environments that affect enrollment scripts.

References