Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility.
Progress Flowmon combines performance tracking, diagnostics, and network detection and response features. It is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen, Orange, and Tietoevry.
The security issue has the maximum severity score of 10/10 and was discovered by researchers at Rhino Security Labs. It is currently tracked as CVE-2024-2389.
An attacker can exploiting the vulnerability can use a specially crafted API request to gain remote, unauthenticated access to the Flowmon web interface and execute arbitrary system commands.
Flowon developer Progress Software first alerted about the flaw on April 4, warning that it impacts versions of the product v12.x and v11.x. The company urged system admins to upgrade to the latest releases, v12.3.5 and 11.1.14.
The security update was released to all Flowmon customers either automatically through the ‘Automatic package download’ system or manually from the vendor’s download center. Progress also recommended upgrading all Flowmon modules afterwards.
Exploit code available
In a report today, Rhino Security Labs released technical details for the vulnerability along with a demo showing how an attacker could exploit the issue to plant a webshell and escalate privileges to root.
The researchers explain that they were able to inject commands by manipulating the ‘pluginPath’ or ‘file parameters’ to embed malicious commands. Using the command substitution syntax , e.g. $(…), the researchers could achieve arbitrary command execution.
“The command executes blindly so it is not possible to see the output of the executed command, but it is possible to write a webshell to /var/www/shtml/,” the researchers explain.
It is worth noting that in an alert about two weeks ago Italy’s CSIRT warned that an exploit had already become available. Indeed, BleepingComputer found that a security researcher had published on April 10 a valid PoC for CVE-2024-2389 on X.
Flowmon servers exposed
The number of Flowmon instances exposed on the public web appears to vary greatly depending on the search engine.
At publishing time, a look on the Fofa search engine for network assets shows that there are about 500 Flowmon servers exposed online. Shodan and Hunter search engines see less than 100 instances.
Progress Software last updated the security bulletin on April 19, assuring its customers that there were no reports of active exploitation for CVE-2024-2389. However, addressing the issue by upgrading to a safe version as soon as possible is critical.
