Description
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.
Published: 2026-04-02
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated low‑privileged user can craft a request during report generation, causing the server to execute unintended commands. This OS command injection can give the attacker the ability to run arbitrary commands, leading to full compromise of confidentiality, integrity, and availability on the affected system. The vulnerability is catalogued as CWE‑78 and carries a CVSS score of 8.7, indicating a high severity.

Affected Systems

Progress Software Flowmon versions older than 12.5.8 are vulnerable. The issue applies to all installations of Flowmon running any pre‑12.5.8 build, regardless of deployment size or environment.

Risk and Exploitability

The vulnerability is exploitable only by authenticated users with low privileges, but once accessed it can execute arbitrary server‑side commands. The EPSS shows a very low probability of exploitation (<1%) and it is not listed in CISA’s KEV catalog, suggesting no current widespread exploitation. Despite the low probability, the high impact warrants immediate attention, especially in environments where users can trigger report generation.

Generated by OpenCVE AI on April 7, 2026 at 22:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Progress Flowmon 12.5.8 or later to remove the vulnerability.
  • If an upgrade cannot be performed immediately, restrict or disable the report generation feature for low‑privileged accounts until the patch is applied.
  • Review user privileges to ensure only necessary accounts can access report generation endpoints.
  • Monitor logs for anomalous report generation activity for early detection of exploitation attempts.

Generated by OpenCVE AI on April 7, 2026 at 22:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress flowmon
CPEs cpe:2.3:a:progress:flowmon:*:*:*:*:*:*:*:*
Vendors & Products Progress
Progress flowmon
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Progress Software
Progress Software flowmon
Vendors & Products Progress Software
Progress Software flowmon

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.
Title Unintended command execution during report generation in Progress Flowmon
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Progress Flowmon
Progress Software Flowmon
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-03T03:55:27.668Z

Reserved: 2026-03-07T06:47:25.022Z

Link: CVE-2026-3692

cve-icon Vulnrichment

Updated: 2026-04-02T13:54:18.779Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:32.640

Modified: 2026-04-07T18:45:27.150

Link: CVE-2026-3692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:33Z

Weaknesses