Critical Alert: Flowmon Exploit Puts 1,500+ Firms at Risk

Security experts have identified a critical vulnerability in the Flowmon network performance monitoring tool from Progress Software, utilized by over 1,500 companies globally, including major organizations such as SEGA, KIA, and Volkswagen.

The vulnerability has been assigned a maximum severity rating of 10 out of 10 on the CVSS scale. It was discovered by specialists at Rhino Security Labs and is registered under the identifier CVE-2024-2389.

This vulnerability allows an attacker to execute a specially crafted API request to gain remote access to the Flowmon web interface without authentication and to execute arbitrary system commands.

Progress Software first reported the issue on April 4th, warning that the flaw affects versions v12.x and v11.x of the product. Experts recommend that clients upgrade their systems to the latest releases, v12.3.5 and v11.1.14.

A security update has already been released for all Flowmon clients. It can be obtained either automatically or manually from the developer’s download center. Following this, the company advises updating all Flowmon modules.

Rhino Security Labs has published technical details of the vulnerability along with a demonstration showing how an attacker can exploit the issue to inject a web shell and escalate privileges to the root level. The researchers were able to perform arbitrary command execution by manipulating the “pluginPath” or “file” parameters.

It should be noted that approximately two weeks ago, Italian CSIRT specialists already warned that this exploit had become available. According to public information, an active PoC for CVE-2024-2389 was published on April 10th.

The number of Flowmon servers available online varies depending on the search engine used. According to the search engine Fofa, there are about 500 Flowmon servers online, while services like Shodan and Hunter show fewer than 100.

The latest security bulletin update from Progress Software was on April 19th. The company assured its clients that there have been no active exploitations of CVE-2024-2389, however, it urged system updates to the secure version as soon as possible.