CVE-2026-48697

May 27, 2026, 3:31 p.m.

7.4
High

Description

FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.

Product(s) Impacted

Vendor Product Versions
Pavel-odintsov
  • Fastnetmon
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a pavel-odintsov fastnetmon / / / / community / / /

References

https://github.com/pavel-odintsov/fastnetmon
https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fast_library.cpp
https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48697-missing-tls-validation

Tags

[email protected]
CWE-295
2026-05-26
CVE-2026-48697

CVSS Score

7.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: May 26, 2026, 5:16 p.m.
Last Modified: May 27, 2026, 3:31 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.