Progress Software's Flowmon has a critical vulnerability (CVE-2024-2389) affecting versions 11.x and 12.x.

The vulnerability permits remote attackers to execute system commands without authentication.

No exploitation has been reported, but a proof-of-concept exploit is available publicly.

The vulnerability was reported by researcher David Yesland.

Patched versions (v12.3.5 and 11.1.14) have been released; immediate upgrade is recommended.

Over 1,500 organizations globally, including Sega, TDK, and Kia, could be impacted.