📄 Description (English)
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
CVE-2026-2956 is a remote command injection vulnerability in dst-admin versions up to 1.5.0 affecting the revertBackup function. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands through the Name parameter. With public exploit availability and no vendor patch, this poses an immediate threat to organizations using this backup management tool.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 17, 2026 01:32
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using dst-admin for backup management, particularly in: Government agencies (NCA, CITC) managing critical infrastructure backups; Banking sector (SAMA-regulated institutions) relying on dst-admin for database backups; Healthcare organizations (MOH facilities) using this tool for patient data backup; Energy sector (ARAMCO, utilities) managing operational technology backups; Telecom providers (STC, Mobily) maintaining network configuration backups. Remote command execution could lead to complete system compromise, data exfiltration, ransomware deployment, and lateral movement within critical infrastructure.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecommunications
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all dst-admin installations in your environment (versions ≤1.5.0)
2. Isolate affected systems from production networks or restrict access to the /home/restore endpoint
3. Implement network-level access controls limiting connections to dst-admin to trusted administrative IPs only
4. Monitor for suspicious activity on port 8080 (default dst-admin port) and /home/restore endpoint
PATCHING GUIDANCE:
1. Contact dst-admin project for security updates or consider alternative backup solutions
2. If upgrade available, test in non-production environment before deployment
3. Implement input validation and sanitization for the Name parameter if source code access available
COMPENSATING CONTROLS:
1. Deploy Web Application Firewall (WAF) rules to block requests containing command injection payloads (;, |, &, $(), backticks) to /home/restore
2. Implement strict input validation: whitelist only alphanumeric characters and hyphens for Name parameter
3. Run dst-admin with minimal privileges (non-root user)
4. Enable comprehensive logging and alerting for /home/restore endpoint access
5. Implement rate limiting on backup restore operations
DETECTION RULES:
1. Alert on POST/GET requests to /home/restore containing special characters: [;|&$`()\\]
2. Monitor for dst-admin process spawning unexpected child processes
3. Alert on failed authentication attempts followed by /home/restore access
4. Log all backup restore operations with full request parameters
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات dst-admin في بيئتك (الإصدارات ≤1.5.0)
2. عزل الأنظمة المتأثرة عن شبكات الإنتاج أو تقييد الوصول إلى نقطة نهاية /home/restore
3. تطبيق عناصر تحكم الوصول على مستوى الشبكة لتقييد الاتصالات بـ dst-admin على عناوين IP إدارية موثوقة فقط
4. مراقبة النشاط المريب على المنفذ 8080 (منفذ dst-admin الافتراضي) ونقطة نهاية /home/restore
إرشادات التصحيح:
1. التواصل مع مشروع dst-admin للحصول على تحديثات أمان أو النظر في حلول بديلة للنسخ الاحتياطي
2. إذا كان التحديث متاحاً، اختبره في بيئة غير الإنتاج قبل النشر
3. تطبيق التحقق من صحة المدخلات والتطهير لمعامل Name إذا كان الوصول إلى الكود المصدري متاحاً
عناصر التحكم التعويضية:
1. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات التي تحتوي على حمولات حقن الأوامر (;، |، &، $()، علامات الاقتباس العكسية) إلى /home/restore
2. تطبيق التحقق الصارم من المدخلات: قائمة بيضاء فقط للأحرف الأبجدية الرقمية والواصلات لمعامل Name
3. تشغيل dst-admin بامتيازات دنيا (مستخدم غير جذر)
4. تفعيل السجلات الشاملة والتنبيهات لوصول نقطة نهاية /home/restore
5. تطبيق تحديد معدل على عمليات استعادة النسخ الاحتياطية
قواعد الكشف:
1. تنبيه على طلبات POST/GET إلى /home/restore تحتوي على أحرف خاصة: [;|&$`()\\]
2. مراقبة عملية dst-admin التي تولد عمليات فرعية غير متوقعة
3. تنبيه على محاولات المصادقة الفاشلة متبوعة بوصول /home/restore
4. تسجيل جميع عمليات استعادة النسخ الاحتياطية مع معاملات الطلب الكاملة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information security policies and procedures
ECC 2024 A.5.2.1 - Access control and authentication
ECC 2024 A.5.3.1 - Cryptography and data protection
ECC 2024 A.5.4.1 - Logging and monitoring
ECC 2024 A.5.5.1 - Vulnerability management and patching
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software inventory and asset management
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.PT-1 - Security awareness and training
SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activity
SAMA CSF RS.MI-1 - Incident response and mitigation
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.5.23 - Information security incident management
ISO 27001:2022 A.8.1 - Cryptography
ISO 27001:2022 A.8.2 - Physical and environmental security
ISO 27001:2022 A.8.3 - Operations security
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall configuration standards
PCI DSS 2.1 - Default security parameters
PCI DSS 6.2 - Security patches and updates
PCI DSS 10.1 - Logging and monitoring
PCI DSS 11.3 - Penetration testing and vulnerability scanning
🔗 References & Sources 4
🔗
https://fx4tqqfvdw4.feishu.cn/docx/ObYgdtoweowo8Vx4dmuckqC7nBe?from=from_copylink
cna@vuldb.com
Exploit
Third Party Advisory
🔗
https://vuldb.com/?ctiid.347323
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.347323
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.754508
cna@vuldb.com
Third Party Advisory
VDB Entry
📦 Affected Products / CPE 1 entries
dst-admin_project:dst-admin