Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

A critical OS command injection in Progress Flowmon can be exploited to gain remote, unauthenticated access to the system.

Progress Software this week released patches for a critical-severity vulnerability in Flowmon that could allow remote, unauthenticated attackers to gain access to systems.

A widely used network monitoring and security solution, Flowmon includes analytics, reporting, and monitoring capabilities, allowing administrators to visualize network data and deal with cyber threats.

Tracked as CVE-2024-2389 and said to have the highest severity rating (CVSS score of 10/10), the recently fixed bug is described as an OS command injection issue leading to unauthorized access to the system via the platform’s web interface.

“Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,” Progress explains in its advisory.

Attackers could exploit this vulnerability to exfiltrate sensitive information, including network configuration details that could potentially lead to additional attacks across the network, threat intelligence firm SOCRadar notes.

According to Progress, the security defect impacts Flowmon versions 11.x and 12.x, but no appliance releases prior to version 11.0.

“Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the vendor’s advisory reads.

The vulnerability was addressed with the release of Flowmon versions 11.1.14 and 12.3.5, which can be immediately installed using the appliance’s automatic update feature. Manual downloads are also available.

Advertisement. Scroll to continue reading.

Given the severity of CVE-2024-2389, users are advised to update their Flowmon appliances as soon as possible.

This week, Progress revealed that Flowmon is not affected by the XZ Utils backdoor that slipped into some Linux distributions, and which is tracked as CVE-2024-3094.

Related: Ivanti Patches Critical Vulnerabilities in Standalone Sentry, Neurons for ITSM

Related: Atlassian Patches Critical Vulnerability in Bamboo Data Center and Server

Related: Fortinet Patches Critical Vulnerabilities Leading to Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Cloud networking firm Aviatrix has named John Qian as CISO.

CrowdStrike has appointed Kartik Shahani as vice president of India and SAARC.

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

More People On The Move

Expert Insights