Vulnerabilities

Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

A critical OS command injection in Progress Flowmon can be exploited to gain remote, unauthenticated access to the system.

Published

A critical OS command injection in Progress Flowmon can be exploited to gain remote, unauthenticated access to the system.

Progress Software this week released patches for a critical-severity vulnerability in Flowmon that could allow remote, unauthenticated attackers to gain access to systems.

A widely used network monitoring and security solution, Flowmon includes analytics, reporting, and monitoring capabilities, allowing administrators to visualize network data and deal with cyber threats.

Tracked as CVE-2024-2389 and said to have the highest severity rating (CVSS score of 10/10), the recently fixed bug is described as an OS command injection issue leading to unauthorized access to the system via the platform’s web interface.

“Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication,” Progress explains in its advisory.

Attackers could exploit this vulnerability to exfiltrate sensitive information, including network configuration details that could potentially lead to additional attacks across the network, threat intelligence firm SOCRadar notes.

According to Progress, the security defect impacts Flowmon versions 11.x and 12.x, but no appliance releases prior to version 11.0.

“Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the vendor’s advisory reads.

The vulnerability was addressed with the release of Flowmon versions 11.1.14 and 12.3.5, which can be immediately installed using the appliance’s automatic update feature. Manual downloads are also available.

Advertisement. Scroll to continue reading.

Given the severity of CVE-2024-2389, users are advised to update their Flowmon appliances as soon as possible.

This week, Progress revealed that Flowmon is not affected by the XZ Utils backdoor that slipped into some Linux distributions, and which is tracked as CVE-2024-3094.

Related: Ivanti Patches Critical Vulnerabilities in Standalone Sentry, Neurons for ITSM

Related: Atlassian Patches Critical Vulnerability in Bamboo Data Center and Server

Related: Fortinet Patches Critical Vulnerabilities Leading to Code Execution

In this article:

Related Content

Cloud Security

Vulnerability Found in Fluent Bit Utility Used by Major Cloud, Tech Companies

Linguistic Lumberjack (CVE-2024-4323) is a critical vulnerability in the Fluent Bit logging utility that can allow DoS, information disclosure and possibly RCE.

9 hours ago

Vulnerabilities

CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

CISA has added two vulnerabilities in discontinued D-Link products to its KEV catalog, including a decade-old flaw.

3 days ago
Llama Drama vulnerability CVE-2024-34359

Application Security

Critical Flaw in AI Python Package Can Lead to System and Data Compromise

A critical vulnerability tracked as CVE-2024-34359 and dubbed Llama Drama can allow hackers to target AI product developers.

3 days ago

Vulnerabilities

Intel Publishes 41 Security Advisories for Over 90 Vulnerabilities 

Intel has published 41 new May 2024 Patch Tuesday advisories covering a total of more than 90 vulnerabilities. 

5 days ago

ICS/OT

Cinterion Modem Flaws Pose Risk to Millions of Devices in Industrial, Other Sectors

A critical vulnerability in the Cinterion cellular modems can be exploited for remote code execution via SMS messages.

May 13, 2024

Vulnerabilities

CISA Announces CVE Enrichment Project ‘Vulnrichment’

CISA’s Vulnrichment project is adding important information to CVE records to help improve vulnerability management processes.

May 9, 2024

Vulnerabilities

F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manager

F5 has patched two potentially serious vulnerabilities in BIG-IP Next that could allow an attacker to take full control of a device.

May 9, 2024

Vulnerabilities

CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities

CISA and the FBI warn of threat actors abusing path traversal software vulnerabilities in attacks targeting critical infrastructure.

May 3, 2024

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version