Skip to content
Make Your Internet Intelligence Thrive | Get 20% off Censys Search Teams or Solo annual plans with code Spring24 by 5/31 | Save Now
Advisory

April 26, 2024: Progress Flowmon vulnerability allows remote, unauthenticated access via API CVE-2024-2389

Global Impact (at time of dissemination)

• <50 publicly-exposed Progress Flowmon hosts with exposed web interfaces

Top affected countries:
1. Czech Republic
2. US
3. Japan
4. Italy
5. South Korea


Summary

Censys is aware that on April 02, 2024, a critical vulnerability on Progress Flowmon web interfaces allowing an attacker unauthenticated, remote access via API to execute arbitrary system commands, was published as CVE-2024-2389. More recently, it’s been reported that there have been multiple proof-of-concept exploits published for this vulnerability.

Asset Description
Progress Flowmon is a network traffic monitoring tool that “combines performance tracking, diagnostics, and network detection and response features” (Bleepingcomputer). Such assets are likely to be logically central in an enterprise’s network and may have access to a myriad of other enterprise assets.

Impact

Progress Flowmon “is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen….”(Bleepingcomputer).
Potential Consequences of Successful Exploitation
Using a uniquely-created API call, an attacker can achieve remote and unauthenticated access to the Flowmon web interface. This access can then allow an attacker to manipulate the asset into allowing the attacker to embed malicious commands and execute arbitrary code, essentially granting takeover of the asset.
Considering Flowmon’s network monitoring and response capabilities, takeover of such an asset could provide significant enumeration capabilities of an enterprise utilizing such an asset, depending on which assets route traffic through Flowmon. Such network intelligence could assist an attacker in understanding the value of such an organization’s assets and insights as to other potential asset targets.

Affected Assets

According to the NVD, this issue affects Flowmon “versions prior to 11.1.14 and 12.3.5.” All Flowmon versions prior the 11.0 (10.x and lower) are not affected by this vulnerability.
Censys’ Rapid Response Team was able to identify Progress Flowmon web interfaces publicly exposed to the internet. Below is a query that will accurately uncover hosts with exposed Flowmon web interfaces.

Censys ASM Risk Name for Potentially Vulnerable Devices

“Vulnerable Progress Flowmon Web Interface CVE-2024-2389”
The query above will find exposed Flowmon web interfaces associated with your organization in your ASM workspace within approximately 24 hours.

Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.

Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.

Recommendations for remediation

If you need assistance in positively identifying these assets, please let us know.
Attack Surface Management Solutions
Learn more