Published:2025/11/04 Last Updated:2025/11/04
JVN#11276793
Progress Flowmon vulnerable to authenticated OS command injection
Overview
Progress Flowmon provided by Progress Software Corporation contains an authenticated OS command injection vulnerability.
Products Affected
- Progress Flowmon versions prior to 12.5.5
Description
Progress Flowmon provided by Progress Software Corporation contains the following vulnerability.
- Authenticated OS command injection (CWE-78)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
- CVE-2025-10239
Impact
An authenticated user with administrative privileges may execute additional unintended commands.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Progress Software Corporation | Can CVE-2025-10239 affect Progress Flowmon appliance? |
| Release Notes Version 12.5 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Kentaro Kawane of GMO Cybersecurity by Ierae reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2025-000099 |