Description
FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges 'Listen on the given address without any authentication mechanism.' None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The ExecuteBan and ExecuteUnBan methods trigger security-critical actions: BGP route announcements that can blackhole network traffic, and execution of external notification scripts via popen(). An attacker with local network access can ban arbitrary IP addresses (causing denial of service to legitimate traffic), unban active attacks (disabling DDoS mitigation), and trigger script execution. There is also no role-based access control separating read-only monitoring from destructive administrative operations.
Published: 2026-05-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition releases up to 1.2.9 run a gRPC API server on port 50052 that is started with insecure credentials, and the code comments confirm that no authentication is performed. The RPC methods exposed—ExecuteBan, ExecuteUnban, GetBanlist, GetTotalTrafficCounters, and others that call popen()—do not perform any credential checking, allowing an attacker to trigger administrative actions. An attacker who can reach the endpoint can ban IP addresses, which can silently blackhole legitimate traffic; unban calls can disable active DoS protection, and the popen() wrapper can execute arbitrary scripts, effectively providing remote code execution. The weakness stems from missing authentication and lack of role‑based access control, a classic improper access control flaw.

Affected Systems

All shipped FastNetMon Community Edition binaries released through v1.2.9 contain this flaw. No other vendors or product versions are listed in the CVE payload; thus only the Community Edition source code packaged in these releases is affected. The vulnerability is triggered by the gRPC listener on TCP port 50052 and is present regardless of network topology, although the description notes that local network reachability is sufficient to exploit it. Based on the description, it is inferred that only the Community Edition up to version 1.2.9 is affected; subsequent releases may not contain the insecure configuration, but this is not confirmed in the CVE data.

Risk and Exploitability

Because the service accepts connections on a publicly reachable port with no authentication, an attacker who can access the host or local network can invoke any RPC method. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the combination of critical network‑level actions and command‑execution via popen() gives the flaw a high potential impact. The attack vector is local or network access to port 50052; the effects could include disabling DoS defenses, blackholing traffic, and executing arbitrary code on the server, thereby compromising the entire network.

Generated by OpenCVE AI on May 26, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest FastNetMon release that implements secure credentials for the gRPC server and enforces authentication for administrative RPCs.
  • If an upgrade is not immediately possible, modify the source to replace grpc::InsecureServerCredentials() with grpc::SslServerCredentials() (or equivalent) and require client certificates or tokens, or comment out the insecure server initialization and rebuild.
  • Restrict external traffic to TCP port 50052 using firewall rules or a VPN so that only trusted administrative hosts can reach the gRPC endpoint.
  • Optionally patch or disable the RPC methods that execute popen() or that perform bans/unbans until a secure implementation is applied.

Generated by OpenCVE AI on May 26, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated gRPC API Allows Remote Code Execution and DoS in FastNetMon Community Edition
Weaknesses CWE-284
CWE-73
CWE-863

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges 'Listen on the given address without any authentication mechanism.' None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The ExecuteBan and ExecuteUnBan methods trigger security-critical actions: BGP route announcements that can blackhole network traffic, and execution of external notification scripts via popen(). An attacker with local network access can ban arbitrary IP addresses (causing denial of service to legitimate traffic), unban active attacks (disabling DDoS mitigation), and trigger script execution. There is also no role-based access control separating read-only monitoring from destructive administrative operations.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T15:32:21.989Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48692

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T16:16:27.007

Modified: 2026-05-26T16:16:27.007

Link: CVE-2026-48692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T17:00:13Z

Weaknesses