The Monitoring Blind Spot: How Novee Discovered CVE-2025-10240 in Progress Flowmon

When attackers compromise a server, they get access to that server. When they compromise a monitoring tool, they control what defenders see and trust.

They can hide exfiltration. Suppress alerts. Reshape the data defenders rely on. Make themselves invisible.

That’s what made Novee’s discovery of CVE-2025-10240 in Progress Flowmon so critical. This wasn’t just another vulnerability in another enterprise product. This was a flaw in the system responsible for watching everything else.

Progress Flowmon is deployed on tens of thousands of appliances worldwide, monitoring network traffic for enterprises in finance, healthcare, government, and critical infrastructure. It’s a cornerstone of visibility for modern security operations centers.

And through continuous penetration testing, Novee discovered how attackers could weaponize that cornerstone.

The Discovery: When the Watcher Blinked

During a continuous penetration test, Novee’s autonomous testing system flagged suspicious behavior around the navigateToElement parameter in Flowmon’s web interface. The parameter was being injected directly into the DOM—a known sink for client-side exploitation—and its behavior changed based on authentication state.

That anomaly alone wasn’t catastrophic. But it was unusual enough for escalation.

Novee researchers began analyzing the lead and quickly confirmed an attack chain that went far beyond textbook cross-site scripting (XSS). What started as a subtle DOM parameter issue turned into a discovery so significant that Progress assigned it a full CVE:

CVE-2025-10240 — High-severity XSS enabling unintended actions in an authenticated admin session.

Progress has publicly acknowledged the issue. According to their advisory, all Flowmon versions prior to 12.5.5 are vulnerable, and exploitation can occur when a user clicks a malicious link that causes “unintended actions within their authenticated session.”

(Progress advisory: https://community.progress.com/s/article/Can-CVE-2025-10240-affect-Progress-Flowmon-appliance)

Novee’s internal research revealed that those “unintended actions” could escalate to complete administrative takeover.

From XSS to Administrative Compromise

Progress describes the issue as an XSS condition triggered when a user clicks a malicious link. That’s accurate. But the deeper story is what happens after the click.

Flowmon stores backlink parameters when a user lands on the system unauthenticated. After login, the appliance restores these parameters and processes them inside the privileged administrative UI. Unfortunately, this restoration occurs without sanitizing attacker-controlled content.

Here’s the attack sequence:

1. A malicious link looks harmless to an unauthenticated user
2. The administrator logs in normally
3. Flowmon replays the backlink parameter
4. The attacker’s payload executes inside the admin’s authenticated browser session

In other words, CVE-2025-10240 allows arbitrary script execution as the administrator.

Novee AI validated that once script runs in this context, the attacker can use Flowmon’s own API to perform privileged operations:

• Creating new administrator accounts
• Disabling logs
• Altering monitoring configurations
• Exfiltrating traffic metadata and system data
• Manipulating UI components for phishing or misdirection

This is not just XSS. This is privilege escalation, persistence creation, and administrative compromise.

Why the Stakes Are Exponentially Higher

Flowmon is not a lightweight auxiliary tool. It is a core detection and analytics platform.

A compromised Flowmon appliance doesn’t merely expose one device. It exposes:

• Visibility into entire networks
• Traffic behavior across all segments
• Anomaly detection flows
• Session metadata used by SOC teams
• Insights that guide both defensive and forensic decisions

This makes CVE-2025-10240 particularly dangerous in the wild. An attacker who compromises Flowmon doesn’t just gain access—they gain the ability to manipulate what security teams see, don’t see, and trust.

The Global Footprint

Progress Flowmon is deployed widely across industry:

• More than 1,500 enterprise customers
• Tens of thousands of appliances in active production
• Global presence across 30+ countries
• Deep adoption in regulated and mission-critical environments

This is not a niche concern. A vulnerability in Flowmon affects the backbone of network visibility across industries that cannot afford blind spots: finance, healthcare, telecom, energy, government, manufacturing.

What Progress Confirms

Progress publicly confirms:

• CVE-2025-10240 exists
• It affects all Flowmon versions prior to 12.5.5
• It can be triggered if a user “clicks a malicious link”
• It can cause unintended behavior inside their authenticated session
• The official fix is upgrading to Flowmon 12.5.5
• There is no alternative workaround

Their wording is conservative, but the underlying issue aligns precisely with Novee’s discovery.

Remediation Recommendations

To mitigate the vulnerability:

• Upgrade immediately to Flowmon 12.5.5
• Sanitize all backlink and navigation parameters
• Remove unsafe DOM sinks
• Deploy strict Content Security Policy (CSP) prohibiting inline script execution
• Alert on admin account creation and privilege changes

Organizations should assume any administrator targeted with a crafted Flowmon link may have been compromised. Review admin account creation logs, configuration changes, and any anomalies in monitoring behavior.

Final Thoughts

CVE-2025-10240 started as an anomaly in how Flowmon handled a single parameter. It ended as a complete path to administrative compromise in a globally deployed monitoring platform.

The gap between those two points is where most security programs fail. Finding the initial anomaly requires continuous testing that operates at attacker speed. Tracing it to full exploitation requires researchers who think like offensive operators, not compliance checkers.

Novee’s platform delivered both. The autonomous system caught what annual pentests would have missed. The research team validated what automated scanners would have dismissed as routine XSS.

A single DOM parameter. Complete administrative compromise. The tools that provide visibility can become the weapons that destroy it.

Want to see what continuous penetration testing can find in your environment? Book a demo.