FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The executewebrequestsecure() function in src/fastlibrary.cpp creates a boost::asio::ssl::context with tlsclient mode and calls setdefaultverifypaths() to load CA certificates, but never calls setverifymode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48697.json",
"cna_assigner": "mitre"
}{
"source": [
"DESCRIPTION",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:pavel-odintsov:fastnetmon:*:*:*:*:community:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.2.9"
},
{
"last_affected": "1.2.9"
}
]
}