Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Top network performance tool Flowmon has a serious security flaw, so patch now

.

Network monitoring and security solution Progress Flowmon was found to be carrying a maximum-severity vulnerability which could allow threat actors to escalate privileges and gain full access to the target endpoint.

As reported by BleepigComputer, the performance tracking, diagnostics, and network detection and response tool was vulnerable to CVE-2024-2389, a flaw allowing attackers to gain unauthenticated access to the Flowmon web interface, where they can execute arbitrary system commands. 

To gain this access, the attackers would need to craft a custom API request.

Thousands of victims

A proof-of-concept (PoC) is already available, but the vulnerability is apparently not being abused in the wild just yet. Users are advised to apply the released patch immediately.

Progress has since been alerted of the discovery, and released a patch. Flowmon versions 12.x and 11.x are all vulnerable. First patched versions are 12.3.5 and 11.1.14. Those with automatic updates enabled will have gotten the patch already. Those who opted for manual updates need to go to the vendor’s download center.

After applying the patch, Progress recommends upgrading all Flowmon modules, too. 

While the vulnerability was discovered and reported by researchers from Rhino Security Labs, BleepingComputer reminds that Italy’s CSIRT also warned about it, roughly two weeks ago. Rhino Security Labs published the technical details and a demo on how to use the vulnerability, but a PoC was made available as early as April 10.

At this time, there are conflicting reports on the number of Flowmon instances exposed on the public web, and thus vulnerable. Some search engines show about 500 exposed servers, while others see fewer than 100 instances. In any case, around 1,500 companies around the world use Flowmon, BleepingComputer added, including SEGA, KIA, TDK, Volkswagen, and others. 

So far, there is no evidence of abuse in the wild. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.