• <50 publicly-exposed Progress Flowmon hosts with exposed web interfaces
Top affected countries:
1. Czech Republic
2. US
3. Japan
4. Italy
5. South Korea
Summary
Censys is aware that on April 02, 2024, a critical vulnerability on Progress Flowmon web interfaces allowing an attacker unauthenticated, remote access via API to execute arbitrary system commands, was published as CVE-2024-2389. More recently, it’s been reported that there have been multiple proof-of-concept exploits published for this vulnerability.
Asset Description
Progress Flowmon is a network traffic monitoring tool that “combines performance tracking, diagnostics, and network detection and response features” (Bleepingcomputer). Such assets are likely to be logically central in an enterprise’s network and may have access to a myriad of other enterprise assets.
Impact
Progress Flowmon “is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen….”(Bleepingcomputer).
Potential Consequences of Successful Exploitation
Using a uniquely-created API call, an attacker can achieve remote and unauthenticated access to the Flowmon web interface. This access can then allow an attacker to manipulate the asset into allowing the attacker to embed malicious commands and execute arbitrary code, essentially granting takeover of the asset.
Considering Flowmon’s network monitoring and response capabilities, takeover of such an asset could provide significant enumeration capabilities of an enterprise utilizing such an asset, depending on which assets route traffic through Flowmon. Such network intelligence could assist an attacker in understanding the value of such an organization’s assets and insights as to other potential asset targets.
Affected Assets
According to the NVD, this issue affects Flowmon “versions prior to 11.1.14 and 12.3.5.” All Flowmon versions prior the 11.0 (10.x and lower) are not affected by this vulnerability.
Censys’ Rapid Response Team was able to identify Progress Flowmon web interfaces publicly exposed to the internet. Below is a query that will accurately uncover hosts with exposed Flowmon web interfaces.
Censys ASM Risk Name for Potentially Vulnerable Devices
“Vulnerable Progress Flowmon Web Interface CVE-2024-2389”
The query above will find exposed Flowmon web interfaces associated with your organization in your ASM workspace within approximately 24 hours.
Censys ASM Query for Exposed Assets.
This query is shared for customers who wish to refine or alter versioning for customized operations.
Censys Search Queries
are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
Recommendations for remediation
If you need assistance in positively identifying these assets, please let us know.