The Monitoring Blind Spot: How Novee AI Discovered CVE-2025-10240 in Progress Flowmon
Novee's agent saw something worth investigating. Our researchers proved it was worth a CVE.
Progress Flowmon is deployed on thousands of appliances worldwide to monitor network traffic across industries including finance, healthcare, government, and critical infrastructure, where it plays an important role in security operations.
During continuous penetration testing initiated by Progress, Novee identified a client-side vulnerability that, under specific conditions, could allow actions to be performed within an authenticated administrative session. This issue was responsibly disclosed to Progress and was assigned CVE-2025-10240.
This post describes the technical path to discovering CVE-2025-10240 and the steps taken to remediate it.
We would like to acknowledge the Progress team for their professional and responsive handling of this disclosure. They quickly validated the issue, triaged it appropriately, and released a fix in Flowmon 12.5.5.
The Discovery
During a continuous penetration test, Novee’s autonomous testing system flagged suspicious behavior around the navigateToElement parameter in Flowmon’s web interface. The parameter was being injected directly into the DOM without input verification – a known sink for client-side exploitation.
That anomaly alone wasn’t catastrophic. But it was unusual enough for escalation. Novee researchers began analyzing the issue and quickly confirmed an attack chain that went far beyond textbook cross-site scripting (XSS). What started as a subtle DOM parameter issue turned into a significant discovery to which Progress assigned a full CVE:
CVE-2025-10240 — High-severity XSS enabling unintended actions.
Progress has publicly acknowledged the issue. According to their advisory, all Flowmon versions prior to 12.5.5 are vulnerable, and exploitation can occur when a user clicks a malicious link that causes “unintended actions within their authenticated session”.
(Progress advisory:
https://community.progress.com/s/article/Can-CVE-2025-10240-affect-Progress-Flowmon-appliance)
From XSS to Administrative Compromise
Progress describes this as an XSS condition. Here’s how it works:
This attack vector is valid in both authenticated and unauthenticated states. When a user clicks the link unauthenticated, Flowmon stores the payload and redirects to login. After login, the appliance restores the payload and processes it inside the privileged administrative UI. The payload is processed on the client side, which allows an attacker-controlled script to run in the victim’s browser.
This means:
- A malicious link is accessed by the administrator
- If not logged in, the administrator logs in normally
- Flowmon restores the payload after login
- The attacker’s payload executes inside the admin’s authenticated browser session
In other words, CVE-2025-10240 allows script execution as the administrator.
It’s important to note the exploitation constraints: To construct the link, an attacker would need to identify the Flowmon instance where it’s deployed, who is the admin of the appliance, and would require the admin to click on the link. At that point, the attacker is no longer limited to browser tricks. The script runs with full administrative context and can interact with Flowmon’s own APIs.
We confirmed the ability to:
- Create new administrator accounts
- Change monitoring configurations
- Access and view user data
- Communicate with the API and preform any available action
- Execute modules that can potentially be invoked on the server itself
Meaning, under the conditions described above, it enables full administrative control within the affected session.
Why Flowmon Matters
Progress Flowmon is a network monitoring and analytics platform used by enterprises to understand traffic behavior, detect anomalies, and investigate incidents. It sits at the center of visibility for many security teams, especially in regulated and critical environments.
Flowmon is not an edge system or a convenience tool. It is a source of truth.
Given these constraints, successful exploitation requires targeted attack planning. However, if these conditions are met, the impact is significant: an attacker could gain insight into network monitoring data and potentially manipulate configurations.
Instead of triggering alerts, an attacker can shape the monitoring layer itself. That materially changes the risk profile for affected deployments.
Remediation
Progress addressed this issue in Flowmon 12.5.5, which is now available. Upgrading to this version resolves the vulnerability.
Final Thoughts
CVE-2025-10240 started as an anomaly in how Flowmon handled a single parameter. It ended as a path to administrative compromise under specific exploitation conditions.
This discovery came during the early evolution of Novee’s autonomous testing capabilities; a period when our security researchers worked hand-in-hand with the agent, closely studying and validating every finding it surfaced. The agent flagged the suspicious DOM behavior; our researchers confirmed the exploitation path. That tight feedback loop is how we evolve Novee’s capabilities to this day. It’s not just quality control; it’s how we continuously teach the system to think like an attacker.
What’s remarkable is that the agent caught this in the first place. The subtle authentication-state behavior, the backlink parameter persistence, the DOM sink- these are the kinds of signals that annual pentests routinely miss and automated scanners dismiss as noise. The agent saw something worth investigating. Our researchers proved it was worth a CVE.
* We would like to acknowledge the Flowmon Progress team for their professional and responsive handling of this disclosure. They quickly recognized the issue, triaged it appropriately, and released a fix in Flowmon 12.5.5.
Want to see what continuous penetration testing can find in your environment? Book a demo.
