Skip to main content

FastNetMon Community Edition EUVDEUVD-2026-31900

| CVE-2026-48697 HIGH
Improper Certificate Validation (CWE-295)
2026-05-26 mitre GHSA-vw83-prmh-h2qc
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 08:59 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
7.4 (HIGH)
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 26, 2026 - 00:00 nvd
HIGH 7.4

DescriptionCVE.org

FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.

AnalysisAI

Man-in-the-middle interception of telemetry traffic affects FastNetMon Community Edition through version 1.2.9 due to missing TLS certificate validation in outbound HTTPS connections. Network-positioned attackers can intercept, modify, or redirect telemetry data sent to community-stats.fastnetmon.com - including system fingerprints, kernel version, traffic statistics, and configuration details - and potentially serve malicious responses. EPSS is very low (0.01%), and there is no public exploit identified at time of analysis, though a technical write-up by Lorikeet Security details the root cause.

Technical ContextAI

FastNetMon is an open-source DDoS detection and traffic analysis tool. The vulnerability resides in the execute_web_request_secure() function in src/fast_library.cpp, which constructs a boost::asio::ssl::context in tls_client mode and loads system CA certificates via set_default_verify_paths(), but omits the required set_verify_mode(boost::asio::ssl::verify_peer) call. Per OpenSSL/Boost.Asio semantics, verification defaults to SSL_VERIFY_NONE when the verify mode is never set, so the TLS handshake completes against any presented certificate without validating its chain, hostname, or trust anchor. This is a textbook CWE-295 (Improper Certificate Validation) defect, exacerbated by the misleading function name ('secure') suggesting validation that does not occur.

RemediationAI

No vendor-released patched version is identified at time of analysis - the references point to the upstream repository and a third-party write-up (https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48697-missing-tls-validation) rather than a tagged fix release; track https://github.com/pavel-odintsov/fastnetmon for an updated release and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48697 for advisory updates. As compensating controls, disable community telemetry reporting if the build/configuration allows (eliminates the vulnerable code path at the cost of losing community statistics contribution), or egress-filter outbound traffic so connections to community-stats.fastnetmon.com traverse only trusted network paths (e.g., via a vetted forward proxy that performs proper certificate validation), accepting the operational cost of maintaining that proxy. A local source patch adding ctx.set_verify_mode(boost::asio::ssl::verify_peer) plus hostname verification in execute_web_request_secure() is straightforward for operators who build from source.

CVE-2014-0160 HIGH POC
7.5 Apr 07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe

CVE-2014-0195 MEDIUM POC
6.8 Jun 05

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2016-0800 MEDIUM POC
5.9 Mar 01

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se

CVE-2015-0204 MEDIUM POC
4.3 Jan 09

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k

CVE-2014-3566 LOW POC
3.4 Oct 15

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2022-3602 HIGH
7.5 Nov 01

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig

CVE-2014-3470 MEDIUM
4.3 Jun 05

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

Share

EUVD-2026-31900 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy