Connect with us

Hi, what are you looking for?



Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

A critical OS command injection in Progress Flowmon can be exploited to gain remote, unauthenticated access to the system.

Progress Software this week released patches for a critical-severity vulnerability in Flowmon that could allow remote, unauthenticated attackers to gain access to systems.

A widely used network monitoring and security solution, Flowmon includes analytics, reporting, and monitoring capabilities, allowing administrators to visualize network data and deal with cyber threats.

Tracked as CVE-2024-2389 and said to have the highest severity rating (CVSS score of 10/10), the recently fixed bug is described as an OS command injection issue leading to unauthorized access to the system via the platform’s web interface.

“Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,” Progress explains in its advisory.

Attackers could exploit this vulnerability to exfiltrate sensitive information, including network configuration details that could potentially lead to additional attacks across the network, threat intelligence firm SOCRadar notes.

According to Progress, the security defect impacts Flowmon versions 11.x and 12.x, but no appliance releases prior to version 11.0.

“Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the vendor’s advisory reads.

The vulnerability was addressed with the release of Flowmon versions 11.1.14 and 12.3.5, which can be immediately installed using the appliance’s automatic update feature. Manual downloads are also available.

Advertisement. Scroll to continue reading.

Given the severity of CVE-2024-2389, users are advised to update their Flowmon appliances as soon as possible.

This week, Progress revealed that Flowmon is not affected by the XZ Utils backdoor that slipped into some Linux distributions, and which is tracked as CVE-2024-3094.

Related: Ivanti Patches Critical Vulnerabilities in Standalone Sentry, Neurons for ITSM

Related: Atlassian Patches Critical Vulnerability in Bamboo Data Center and Server

Related: Fortinet Patches Critical Vulnerabilities Leading to Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.