CVE-2024-2389

CRITICAL EXPLOITED NUCLEI

Progress Kemp Flowmon - Command Injection

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2024-2389 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including adhikara13, Dave Yesland with Rhino Security Labs, including a Metasploit module exploits/linux/http/progress_flowmon_unauth_cmd_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2024-2389, targeting Progress Kemp Flowmon via command injection in the `service.pdfs/confluence` endpoint to achieve a reverse shell. The exploit uses a crafted URL with a netcat payload to execute arbitrary commands on the target system.

Description

In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified.  An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.

Exploits (3)

nomisec WORKING POC 2 stars
by adhikara13 · remote
https://github.com/adhikara13/CVE-2024-2389

The repository contains a functional Python exploit for CVE-2024-2389, targeting Progress Kemp Flowmon via command injection in the `service.pdfs/confluence` endpoint to achieve a reverse shell. The exploit uses a crafted URL with a netcat payload to execute arbitrary commands on the target system.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Progress Kemp Flowmon
No auth needed
Prerequisites: Python 3.x · requests library · target host reachable · attacker-controlled IP and port for reverse shell
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Dave Yesland with Rhino Security Labs · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before 12.03.02 via the 'pluginPath' parameter in a GET request to 'service.pdfs'.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Progress Flowmon < 12.03.02
No auth needed
Prerequisites: Network access to the target's web interface · Target running a vulnerable version of Progress Flowmon
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Dave Yesland with Rhino Security Labs · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb

This Metasploit module exploits a sudo privilege escalation vulnerability in Progress Flowmon by overwriting a PHP file to add a sudoers entry, allowing execution of arbitrary commands as root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Progress Flowmon up to version 12.3.5
Auth required
Prerequisites: Write access to a directory (e.g., /tmp) · Presence of vulnerable Progress Flowmon installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Progress Kemp Flowmon - Command Injection
CRITICALVERIFIEDby pdresearch,parthmalhotra
Shodan: Server: Flowmon

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.9435
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2024-04-26
CWE
CWE-78
Status published
Products (1)
progress/flowmon < 11.1.14
Published Apr 02, 2024
Tracked Since Feb 18, 2026