Network monitoring and security solution Progress Flowmon was found to be carrying a maximum-severity vulnerability which could allow threat actors to escalate privileges and gain full access to the target endpoint.
As reported by BleepigComputer, the performance tracking, diagnostics, and network detection and response tool was vulnerable to CVE-2024-2389, a flaw allowing attackers to gain unauthenticated access to the Flowmon web interface, where they can execute arbitrary system commands.
To gain this access, the attackers would need to craft a custom API request.
Thousands of victims
A proof-of-concept (PoC) is already available, but the vulnerability is apparently not being abused in the wild just yet. Users are advised to apply the released patch immediately.
Progress has since been alerted of the discovery, and released a patch. Flowmon versions 12.x and 11.x are all vulnerable. First patched versions are 12.3.5 and 11.1.14. Those with automatic updates enabled will have gotten the patch already. Those who opted for manual updates need to go to the vendor’s download center.
After applying the patch, Progress recommends upgrading all Flowmon modules, too.
While the vulnerability was discovered and reported by researchers from Rhino Security Labs, BleepingComputer reminds that Italy’s CSIRT also warned about it, roughly two weeks ago. Rhino Security Labs published the technical details and a demo on how to use the vulnerability, but a PoC was made available as early as April 10.
At this time, there are conflicting reports on the number of Flowmon instances exposed on the public web, and thus vulnerable. Some search engines show about 500 exposed servers, while others see fewer than 100 instances. In any case, around 1,500 companies around the world use Flowmon, BleepingComputer added, including SEGA, KIA, TDK, Volkswagen, and others.
So far, there is no evidence of abuse in the wild.
