Description
FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.
Published: 2026-05-26
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastNetMon Community Edition through 1.2.9 does not validate TLS certificates on outbound HTTPS requests. The execute_web_request_secure function builds a boost::asio::ssl::context in client mode and loads CA certificates but never sets peer verification, allowing OpenSSL to accept any server certificate during the handshake. This flaw, classified as CWE‑295, effectively turns telemetry traffic to community‑stats.fastnetmon.com into a potential man‑in‑the‑middle channel. An attacker who can observe or inject traffic to that endpoint can modify or redirect telemetry data that contains system and network information.

Affected Systems

All installations of FastNetMon Community Edition using a build version 1.2.9 or earlier are affected. The issue is present in src/fast_library.cpp and impacts the telemetry reporting routine that contacts community‑stats.fastnetmon.com. Users should verify their installed version against the official repository.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating high severity. No EPSS value is available, and it is not listed in CISA’s KEV catalog. The attack requires the ability to intercept or inject network traffic to the telemetry endpoint; no local privileges are needed. Because certificate verification is never performed, any intercepted TLS session will be accepted by the client, enabling a remote attacker to read or alter telemetry data or redirect it to a malicious server. Immediate remediation is advised given the lack of built‑in mitigation in current binaries.

Generated by OpenCVE AI on May 27, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastNetMon to the latest official release, which adds proper TLS certificate verification for outbound HTTPS requests.
  • If an immediate upgrade is not possible, configure the system to disable or redirect telemetry reporting to a trusted local endpoint and block outbound connections to community‑stats.fastnetmon.com until the patch can be applied.
  • Deploy an outbound firewall rule or proxy that logs and forbids unverified TLS handshakes toward community‑stats.fastnetmon.com, ensuring that any attempted man‑in‑the‑middle interception fails.

Generated by OpenCVE AI on May 27, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
Title TLS Certificate Validation Missing in FastNetMon Community Edition

Tue, 26 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title TLS Certificate Validation Missing in FastNetMon Community Edition
First Time appeared Pavel-odintsov
Pavel-odintsov fastnetmon
Weaknesses CWE-295
Vendors & Products Pavel-odintsov
Pavel-odintsov fastnetmon

Tue, 26 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.
References

Subscriptions

Pavel-odintsov Fastnetmon
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T20:30:08.127Z

Reserved: 2026-05-22T00:00:00.000Z

Link: CVE-2026-48697

cve-icon Vulnrichment

Updated: 2026-05-26T20:29:28.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T17:16:53.920

Modified: 2026-05-27T15:31:15.843

Link: CVE-2026-48697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T00:15:11Z

Weaknesses
  • CWE-295

    Improper Certificate Validation