216.73.217.98

CVE-2026-48697

· Published 26/05/2026 17:16 · Modified 27/05/2026 15:31

Labels: CVE-2026-48697 2026-05-26CVE-2026-48697CWE-295[email protected]

Essential information

Published
26/05/2026 17:16
Modified
27/05/2026 15:31
Author
Creator
CVSS
7.4 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
pavel-odintsov / fastnetmon cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*

References