Progress Flowmon Flaws Enable Command Execution and Admin Session Abuse
Progress disclosed two high-severity vulnerabilities in Flowmon that affect versions prior to 12.5.8, with one issue also affecting versions prior to 13.0.6. CVE-2026-3692 is a CWE-78 flaw that allows an authenticated low-privileged user to craft a request during report generation and trigger unintended command execution on the server, creating a path to compromise confidentiality, integrity, and availability without requiring user interaction.
The second issue, CVE-2026-2737, is a CWE-79 web-session attack in the Flowmon web application that can be triggered if an administrator clicks a malicious link supplied by an attacker. Progress said the flaw can cause unintended actions within the administrator’s authenticated session, exposing organizations to account misuse and broader system impact. The vulnerabilities were reported through Progress and documented in the vendor advisory portal, with affected customers urged to move to fixed releases 12.5.8 and 13.0.6 where applicable.
Timeline
Apr 2, 2026
CVE-2026-2737 and CVE-2026-3692 are publicly disclosed
Public disclosure detailed two high-severity Flowmon vulnerabilities: CVE-2026-2737, a malicious-link web-session attack mapped to CWE-79, and CVE-2026-3692, a command execution flaw mapped to CWE-78. Both disclosures identified affected versions and described high potential impact to confidentiality, integrity, and availability.
Apr 2, 2026
Progress publishes advisory for Flowmon command execution flaw CVE-2026-3692
Progress published a vendor advisory for CVE-2026-3692 on its community advisory portal. The vulnerability affects Flowmon versions prior to 12.5.8 and allows an authenticated low-privileged user to trigger unintended command execution during report generation.
Apr 2, 2026
Progress receives report of CVE-2026-2737 in Flowmon
Progress disclosed that vulnerability CVE-2026-2737, affecting Flowmon versions prior to 12.5.8 and 13.0.6, was received by security@progress.com. The flaw can let an attacker trigger unintended actions in an administrator's authenticated web session if the administrator clicks a malicious link.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Progress LoadMaster API Flaws Enable Authenticated OS Command Injection
Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including **LoadMaster**, **ECS Connection Manager**, **Object Scale Connection Manager**, and **MOVEit WAF**. The issues, tracked as `CVE-2026-3517` and `CVE-2026-3519`, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as `CWE-77` and carry a `CVSS v3.1` vector of `AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. `CVE-2026-3517` allows an attacker with **Geo Administration** permissions to exploit the `addcountry` command, while `CVE-2026-3519` requires **VS Administration** permissions to abuse the `aclcontrol` command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.
1 weeks ago
Active Exploitation of Flowise CustomMCP RCE Exposes Thousands of Internet-Facing Instances
Threat actors are actively exploiting **CVE-2025-59528**, a **CVSS 10.0** remote code execution flaw in the open-source AI platform **Flowise**. The bug affects Flowise versions through **3.0.5** and stems from the `CustomMCP` node unsafely passing user-controlled input into JavaScript execution, allowing attackers with an API token to run arbitrary code with full **Node.js** runtime privileges. Researchers said the issue can be triggered remotely via a crafted HTTP `POST` request without user interaction, leading to operating system command execution, filesystem access, sensitive data theft, and full system compromise. Security researchers observed in-the-wild exploitation originating from a single **Starlink IP address**, while warning that roughly **12,000 to 15,000** internet-exposed Flowise instances sharply expand the attack surface for opportunistic attacks. Flowise disclosed the vulnerability in 2025, credited researcher **Kim SooHyun**, and patched the flaw in **version 3.0.6**. The incident marks the third Flowise vulnerability reported as exploited in the wild after **CVE-2025-8943** and **CVE-2025-26319**, increasing pressure on organizations to upgrade immediately and limit public exposure of Flowise APIs.
1 weeks ago
Critical Authentication Bypass Flaws Disclosed in Progress MOVEit Automation
Progress Software disclosed two critical vulnerabilities in **MOVEit Automation**, including **CVE-2026-4670**, an improper authentication flaw that can allow authentication bypass over the network without user interaction. The issue is rated critical with CVSS `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating potential for high-impact compromise of confidentiality, integrity, and availability. Progress linked the flaw to **CWE-305** and included it in a security bulletin covering both **CVE-2026-4670** and **CVE-2026-5174**. The advisories affect multiple MOVEit Automation release branches, including versions prior to **2025.0.9**, **2024.1.8**, and releases before **2024.0.0**, with broader vendor and government guidance also referencing affected builds such as **2025.1.4 and earlier**, **2025.0.8 and earlier**, **2024.1.7 and earlier**, and **2024.0.0 and earlier**. The Canadian Centre for Cyber Security urged organizations to review the Progress bulletin and apply the required updates to mitigate exposure in internet-reachable file transfer automation environments.
2 days ago