Description
FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges 'Listen on the given address without any authentication mechanism.' None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The ExecuteBan and ExecuteUnBan methods trigger security-critical actions: BGP route announcements that can blackhole network traffic, and execution of external notification scripts via popen(). An attacker with local network access can ban arbitrary IP addresses (causing denial of service to legitimate traffic), unban active attacks (disabling DDoS mitigation), and trigger script execution. There is also no role-based access control separating read-only monitoring from destructive administrative operations.
Published: 2026-05-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition releases up to version 1.2.9 expose a gRPC API server on port 50052 that is started with insecure credentials, as confirmed by source comments. The exposed RPC methods—ExecuteBan, ExecuteUnban, GetBanlist, GetTotalTrafficCounters, and others that invoke popen()—perform no credential checking or role-based access control. An attacker who can contact the service can trigger administrative actions such as BGP route announcements that blackhole legitimate traffic, unban IP addresses to disable DDoS mitigation, or execute arbitrary scripts on the host, effectively achieving remote code execution.

Affected Systems

All FastNetMon Community Edition binaries distributed through version 1.2.9 contain this flaw. No other vendors or product versions are listed in the CVE payload, so the vulnerability applies exclusively to the Community Edition source code packaged in these releases. The gRPC listener operates on TCP port 50052, and local or network access to this port is sufficient to exploit the issue.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity flaw, and the EPSS score is not available; the vulnerability is not catalogued in CISA KEV. Because the service accepts connections on a reachable port with no authentication, an attacker who can reach the host or network can invoke any RPC method. The combination of potential network-level manipulation and execution of arbitrary code via popen() provides a high-impact avenue for attackers, making the threat significant if local network access is achievable.

Generated by OpenCVE AI on May 27, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FastNetMon to the latest release that implements secure credentials for the gRPC server and enforces authentication for administrative RPCs.
  • If an upgrade is not immediately feasible, modify the source to replace grpc::InsecureServerCredentials() with grpc::SslServerCredentials() or an equivalent secure credential mechanism and recompile.
  • Restrict external traffic to TCP port 50052 with firewall rules or a VPN so that only trusted administrative hosts can reach the gRPC endpoint.
  • Optionally disable or patch the RPC methods that invoke popen() or perform bans/unbans until a secure implementation is available.

Generated by OpenCVE AI on May 27, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

Wed, 27 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated gRPC API Allows Remote Code Execution and Denial of Service

Tue, 26 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated gRPC API Allows Remote Code Execution and DoS in FastNetMon Community Edition
Weaknesses CWE-284
CWE-73
CWE-863

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated gRPC API Allows Remote Code Execution and DoS in FastNetMon Community Edition
Weaknesses CWE-284
CWE-73
CWE-863

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges 'Listen on the given address without any authentication mechanism.' None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The ExecuteBan and ExecuteUnBan methods trigger security-critical actions: BGP route announcements that can blackhole network traffic, and execution of external notification scripts via popen(). An attacker with local network access can ban arbitrary IP addresses (causing denial of service to legitimate traffic), unban active attacks (disabling DDoS mitigation), and trigger script execution. There is also no role-based access control separating read-only monitoring from destructive administrative operations.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T20:50:33.688Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48692

cve-icon Vulnrichment

Updated: 2026-05-26T20:49:59.611Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T16:16:27.007

Modified: 2026-06-17T10:55:11.457

Link: CVE-2026-48692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T01:00:12Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function