CVE-2024-2389
Flowmon Unauthenticated Command Injection Vulnerability
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- March 11, 2024
- Published Date
- April 02, 2024
- Last Updated
- August 01, 2024
- Vendor
- Progress Software
- Product
- Flowmon
- Description
- In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
- Tags
- Score
- 94.35% (Percentile: 99.95%) as of 2025-07-17
- Exploitation
- PoC
- Automatable
- Yes
- Technical Impact
- Total
- Exploited in the Wild
- Yes (2025-06-26 00:00:00 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
10.0 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
Source | Added Date |
---|---|
The Shadowserver (via CIRCL) | 2025-06-27 12:00:36 UTC |
Scanner Integrations
Scanner | URL | Date Detected |
---|---|---|
Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb | 2025-04-29 11:01:14 UTC |
Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-2389.yaml | 2025-04-26 00:00:00 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
progress_flowmon_unauth_cmd_injection
Type: metasploit • Created: Unknown
Metasploit module for CVE-2024-2389
adhikara13/CVE-2024-2389
Type: github • Created: 2024-04-11 14:03:23 UTC • Stars: 2
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Detected by Metasploit
-
Added to KEVIntel