CVE-2024-2389 CRITICAL

CVE-2024-2389: Flowmon Unauthenticated Command Injection Vulnerability

Vendor Progress Software

Product Flowmon

Weakness CWE-78

Published April 2, 2024

Last update December 16, 2025

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.

Key dates

02Disclosure timeline

April 2, 2024 CVE published

December 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-2389

Related vulnerabilities

Identifiers

CVE CVE-2024-2389

CWE CWE-78

CVSS 10.0 / CRITICAL

Affected versions

Vendor Progress Software

Product Flowmon

Affected ≥ 11.X and < 11.1.14

Vendor Progress Software

Product Flowmon

Affected ≥ 12.X and < 12.3.5

CVE-2024-2389: Flowmon Unauthenticated Command Injection Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE