CVE-2024-2389
published 2024-04-02CVE-2024-2389: In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
93.90%
99.8th percentile
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | flowmon | < 11.1.14 | 11.1.14 |
| progress | flowmon | >= 12.0.0 < 12.3.5 | 12.3.5 |
| progress_software | flowmon | >= 11.X < 11.1.14 | 11.1.14 |
| progress_software | flowmon | >= 12.X < 12.3.5 | 12.3.5 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/service.pdfs/confluence"; fast_pattern; content:"file|3d|"; pcre:"/^[^&]*?(?:\x3b|\x0a|\x60|\x7c|\x24)/R"; reference:url,rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/; reference:cve,2024-2389; classtype:web-application-attack; sid:2056384; rev:1; metadata:affected_product Progress_Flowmon, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve CVE_2024_2389, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the `pluginPath` or `file` parameters in the Flowmon management interface API endpoint `/service.pdfs/confluence` using command substitution syntax such as $(...) or backticks to achieve blind OS command injection. ↗
- →Command execution is blind (no output returned); attackers are observed writing webshells to `/var/www/shtml/` as a post-exploitation step. Monitor that directory for new or modified PHP/web files. ↗
- →The Snort/ET rule detects the attack by matching GET requests to `/service.pdfs/confluence` with a `file=` parameter containing shell metacharacters: semicolon (0x3b), newline (0x0a), backtick (0x60), pipe (0x7c), or dollar sign (0x24). ↗
- →The Metasploit module for privilege escalation abuses sudo rules on Flowmon that allow certain binaries to auto-elevate based on filename, including executing PHP with a specific filename. Monitor for unexpected PHP execution via sudo. ↗
- →Use Shodan query `Server: Flowmon` to identify internet-exposed Flowmon instances for asset discovery and attack surface monitoring. ↗
- →The Nuclei template confirms exploitation via an out-of-band HTTP callback (interactsh). Detect exploitation attempts by monitoring for outbound HTTP/DNS requests originating from the Flowmon server process shortly after requests to `/service.pdfs/confluence`. ↗
- ·The Metasploit RCE module targets Flowmon versions before v12.03.02, while the NVD advisory and vendor bulletin cite the patched versions as 11.1.14 and 12.3.5. Ensure detection coverage spans all v11.x and v12.x instances below those thresholds. ↗
- ·The ET Snort rule (sid:2056384) requires TLS decryption (`tls_state TLSDecrypt`) to be effective when Flowmon is accessed over HTTPS. Without SSL/TLS inspection, the rule will not fire on encrypted traffic. ↗
- ·The privilege escalation to root is a separate, chained local exploit (sudo abuse) applicable to Flowmon up to at least version 12.3.5, meaning even patched RCE instances may still be vulnerable to local privilege escalation post-initial-access. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9p5w-7f45-v3jm: In Flowmon versions prior to 11
ghsa_unreviewed·2024-04-02
CVE-2024-2389 [CRITICAL] CWE-78 GHSA-9p5w-7f45-v3jm: In Flowmon versions prior to 11
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
VulnCheck
Flowmon Operating System Command Injection Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-2389 [CRITICAL] Flowmon Operating System Command Injection Vulnerability
Flowmon Operating System Command Injection Vulnerability
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
Affected: Progress Flowmon
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-26&host_type=src&vulnerability=cve-2024-2389; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-27&host_type=src&vulnerability=cve-2024-238
Suricata
ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389)
suricata·2024-10-02·CVSS 10.0
CVE-2024-2389 [CRITICAL] ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389)
ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/service.pdfs/confluence"; fast_pattern; content:"file|3d|"; pcre:"/^[^&]*?(?:\x3b|\x0a|\x60|\x7c|\x24)/R"; reference:url,rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/; reference:cve,2024-2389; classtype:web-application-attack; sid:2056384; rev:1; metadata:affected_product Progress_Flowmon, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve CVE_2024_2389, deployment Perimeter, deployment Internal, deployment SSLD
Nuclei
Progress Kemp Flowmon - Command Injection
nuclei·CVSS 9.8
CVE-2024-2389 [CRITICAL] Progress Kemp Flowmon - Command Injection
Progress Kemp Flowmon - Command Injection
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
Template:
id: CVE-2024-2389
info:
name: Progress Kemp Flowmon - Command Injection
author: pdresearch,parthmalhotra
severity: critical
description: |
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
impact: |
Unauthenticated attackers can execute arbitrary system
Metasploit
Flowmon Unauthenticated Command Injection
metasploit
Flowmon Unauthenticated Command Injection
Flowmon Unauthenticated Command Injection
This module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02.
Metasploit
Progress Flowmon Local sudo privilege escalation
metasploit
Progress Flowmon Local sudo privilege escalation
Progress Flowmon Local sudo privilege escalation
This module abuses a feature of the sudo command on Progress Flowmon. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. This includes executing a PHP command with a specific file name. If the file is overwritten with PHP code it can be used to elevate privileges to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.
Checkpoint
29th April – Threat Intelligence Report
blogs_checkpoint·2024-04-29
CVE-2024-4040 29th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th April, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Germany has revealed a sophisticated state-sponsored hacking campaign targeting Volkswagen, orchestrated by Chinese hackers since 2010. The attackers successfully infiltrated VW’s networks multiple times, extracting thousands of documents critical to automotive technology, including electric and hydrogen vehicle innovations.
Bleepingcomputer
Maximum severity Flowmon bug has a public exploit, patch now
blogs_bleepingcomputer·2024-04-24·CVSS 10.0
[CRITICAL] Maximum severity Flowmon bug has a public exploit, patch now
## Maximum severity Flowmon bug has a public exploit, patch now
## Bill Toulas
Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility.
Progress Flowmon combines performance tracking, diagnostics, and network detection and response features. It is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen, Orange, and Tietoevry.
The security issue has the maximum severity score of 10/10 and was discovered by researchers at Rhino Security Labs. It is currently tracked as CVE-2024-2389.
An attacker can exploiting the vulnerability can use a specially crafted API request to gain remote, unauthenticated access to the Flowmon web interface and ex
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-04-02
Published
Exploited in the wild