Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.
AnalysisAI
Man-in-the-middle interception of telemetry traffic affects FastNetMon Community Edition through version 1.2.9 due to missing TLS certificate validation in outbound HTTPS connections. Network-positioned attackers can intercept, modify, or redirect telemetry data sent to community-stats.fastnetmon.com - including system fingerprints, kernel version, traffic statistics, and configuration details - and potentially serve malicious responses. EPSS is very low (0.01%), and there is no public exploit identified at time of analysis, though a technical write-up by Lorikeet Security details the root cause.
Technical ContextAI
FastNetMon is an open-source DDoS detection and traffic analysis tool. The vulnerability resides in the execute_web_request_secure() function in src/fast_library.cpp, which constructs a boost::asio::ssl::context in tls_client mode and loads system CA certificates via set_default_verify_paths(), but omits the required set_verify_mode(boost::asio::ssl::verify_peer) call. Per OpenSSL/Boost.Asio semantics, verification defaults to SSL_VERIFY_NONE when the verify mode is never set, so the TLS handshake completes against any presented certificate without validating its chain, hostname, or trust anchor. This is a textbook CWE-295 (Improper Certificate Validation) defect, exacerbated by the misleading function name ('secure') suggesting validation that does not occur.
RemediationAI
No vendor-released patched version is identified at time of analysis - the references point to the upstream repository and a third-party write-up (https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48697-missing-tls-validation) rather than a tagged fix release; track https://github.com/pavel-odintsov/fastnetmon for an updated release and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48697 for advisory updates. As compensating controls, disable community telemetry reporting if the build/configuration allows (eliminates the vulnerable code path at the cost of losing community statistics contribution), or egress-filter outbound traffic so connections to community-stats.fastnetmon.com traverse only trusted network paths (e.g., via a vetted forward proxy that performs proper certificate validation), accepting the operational cost of maintaining that proxy. A local source patch adding ctx.set_verify_mode(boost::asio::ssl::verify_peer) plus hostname verification in execute_web_request_secure() is straightforward for operators who build from source.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31900
GHSA-vw83-prmh-h2qc