Version 12.5
- Last Updated: May 1, 2026
- 14 minute read
- Flowmon Products
- Flowmon Anomaly Detection System
- Documentation
Introduction
We are excited to announce the features and enhancements implemented in version 12.5 of Flowmon ADS. This release:
- Introduces Threat Briefings for detection of emerging threats.
- Provides recommendations for remedial actions and detection tuning in Event Detail.
- Provides better control over Event Response by introducing manual script triggering from Event Detail.
- Adds Interactive Visualization of event source and target communications directly in Event Detail.
- Redesigns Event Detail to enhance clarity and visual appeal while accommodating new features.
- Improves the Histogram in Event Evidence to provide instant insights.
- Introduces several Quality of Life improvements, for example, faster navigation through the UI and ability to tag the events.
Flowmon ADS 12.5.5 release date: 12th March 2026
Let us know your feedback
Customers helped to choose and validate some of the features that went into this release. We want to hear from you to continue to improve Flowmon ADS. You can request to join and participate in pre-release activities on the Flowmon Customer Validation Program (CVP) and vote on and submit your product ideas on our ideas portal. Thank you for helping to make Flowmon ADS better!
You can find the release information (installation, requirements, and so on) at the bottom of this page.
The fixed and known issues for the 12.5.x bug fix versions are available below the What's New in Flowmon ADS 12.5? section.
What’s New in Flowmon ADS 12.5?
Threat Briefings
Threat Briefings are curated security intelligence updates designed to keep you informed about emerging threats, vulnerabilities, and attack campaigns that may impact your environment. Created by an AI and reviewed by Flowmon security experts before distribution, these briefings are available in Flowmon ADS on a dedicated page, with detection carried out by a new THREATS detection method.
Each briefing includes a detailed description of the threat, associated vulnerabilities, causes, and recommended mitigation measures. Moreover, each of the Threat Briefings contain a list of Indicators of Compromise (IoCs), which are used to detect suspicious activities from the moment the briefing is available in Flowmon ADS. You can find the IoCs that triggered detection in method-specific attributes in Event Detail → Attributes in the events detected by the THREATS method. For retrospective analysis, you can easily use the IoCs to query data stored on the Flowmon Collector (in the Monitoring Center), allowing you to examine communications related to a specific Threat Briefing.
On the page, you can see a list of individual Threat Briefings. You can sort them by last detection, publish date, total events, or name. You can also filter to only show the briefings with detected events, allowing you to focus on the most important threats. Clicking a Threat Briefing will display its details to help you understand the threat and steps for its mitigation. At the bottom, there are actions available, which serve as shortcuts to view related events within selected periods or to open the Monitoring Center with a prefilled filter using the briefing’s IoCs. You can use this feature for retrospective analysis of communications related to the specific Threat Briefing.
New detection methods are not assigned to any perspectives to prevent unwanted configuration changes. So, while the THREATS method is active after the update, you must assign the method to some of your perspectives to see related events. You can do this in Settings → Processing → Perspectives.
The THREATS method can detect malicious communications from HTTP, HTTPS, and DNS traffic. A Flowmon Probe is required to gather this information from network traffic. To enable export and collection, allow HTTP, TLS main (for HTTPS), and DNS values export in the Monitoring Ports settings of your Flowmon Probes and allow the collection in the Flow Database Fields settings on your Flowmon Collector. For more information, refer to the Flowmon User Guide.
Threat Briefings are distributed using the services portal. All our customers can experience this feature with the Flowmon ADS 12.5 release.
In 2026 this feature will only be available to customers with valid NDR Extended Support. For more information, refer to the Progress Community portal.
Recommendations in Event Detail
One of the key features in this version is the addition of Recommendations in the Event Detail. This new functionality empowers you to manage your security environment with greater confidence and effectiveness. The recommendations provide guidance, helping you validate detections to determine whether they are security incidents, misconfigurations, or another issue. They will help you to identify the root cause in addition to suggesting remedial actions to prevent further impact. You will also receive advice on tuning the system to eliminate unwanted detections.
At the time of Flowmon ADS 12.5.0 Beta, recommendations for some methods might not be available yet. The recommendations are distributed through the services portal and ones that are currently missing will be available automatically without a need of an upgrade to Flowmon ADS.
All our customers can experience this feature with the Flowmon ADS 12.5 release. In 2026 this feature will only be available to customers with valid NDR Extended Support. You can learn more information on the Progress Community portal.
Response directly from Event Detail
Flowmon ADS already provides multiple ways to respond to detected events, including triggering a script which is commonly used for integration with 3rd party solutions such as firewalls. To provide you with better control of when the scripts are triggered, we added a new option to manually trigger a script from the Event Detail. When you decide to respond to an event using manual script trigger, you will select from scripts previously added to the Flowmon ADS (in Settings → System Settings → Custom Scripts), adjust script parameters (if necessary) and then execute the script. There is also an option to leave a comment that the script was triggered, so that you have a record of this action available directly in the event comments.
Moreover, to make supported Flowmon integration scripts more available we added the link to our GitHub repository with the integration scripts to the UI. You can find it in Settings → System Settings → Custom Scripts. Scripts can only be added by Flowmon ADS admin users and can be manually triggered by all users. Non-admin users can also log the script trigger if the Event categorization for non-admins option is enabled in Settings → System Settings → General Settings.
During the update, the default 'Demo Email Reporter' script is updated to a new Extended version which also exports the method subtype and MITRE ATT&CK tactics in addition to supporting IDS events (which can be triggered from the IDS Event Detail).
Information about the perspective and priority is not available when exporting event data through a manual script trigger.
Event Visualization
The Event Visualization feature was completely overhauled to provide you with a powerful tool to visualize and analyze communications between event source, targets, and other hosts. You can easily investigate the relations of affected hosts directly from the Event Detail and drill-down to details like related events or flow analysis for each host in the visualization.
The visualization shows hosts as nodes and their communications as edges. The color corresponds to the number of flows and the width corresponds to the amount of data transferred. You can display the communications of individual hosts or their communication with other hosts in a flow table below. You can also add more hosts into the visualization by using the three-dot menu. These hosts might not be directly related to the event (being source or targets), but they are communication peers during the event duration. You can also use the IP three-dot menu to check related events or jump directly to the Monitoring Center to analyze flow data.
Redesigned Event Detail
Event Detail was redesigned to enhance clarity and visual appeal, while accommodating new features such as Recommendations and Event Visualization. The following changes were made in the top part of the Event Detail:
- The top section now includes the name of the detection method and submethod together with details related to the detected event.
- Probability is now shown in the form of a label next to the detection method name if it is lower than 100%. False positive events are indicated the same way (see the picture below).
- The three dot menu in the header of the Event Detail was removed, because these options are now incorporated in the form.
- The Copy event ID option was moved next to the Event ID on the top-left corner.
- The Initiate Response button was added to allow you to manually trigger a script (described above).
The middle part of the Event Detail also has some changes:
- The Duration of event that was added (the difference between the Last update and the Detection time).
- Probability and False Positive parameters were removed because they are indicated as labels in the top section.
- Categories can be now managed and are visible directly in this section.
The bottom part of the Event detail remains mostly the same except for the removal of the Category tab and the addition of the Info and Visualization tabs. The Info tab includes a description of the detection method, mapping of the detected event to MITRE ATT&CK® tactics and techniques (both of these were in the top section previously), and new Recommendations and Actions.
The Actions serve as shortcuts for your next step in Flowmon while investigating the event or changing the detection method parameters to tune the detection.
Improved Histogram in Event Evidence
The Histogram in Event Evidence now provides the best insights as possible without the need to reconfigure it's parameters. Previously, the default parameters were the same for every event. Currently, for each detection method there is a different default set of parameters to provide the best visualization possible. For example, the High Volume of Transferred Data (HIGHTRANSF) method shows the sum of the transferred bytes for each destination IP address. Therefore, you will immediately see how much data was transferred in addition to the ratios between individual IP addresses (for example, one IP address transferred much more than the other).
The Histogram always visualizes the data in the Event Evidence flow table below. Filtering the table will also affect the histogram visualization. You can also use the Histogram to filter the table by clicking the columns. The flows in Event Evidence (Monitoring Center flows) are not always the same flows that were used for event detection. Therefore, the information from the details in the top section and the number of targets might differ from what you see in the histogram.
Other Changes
- A new MinimalProbability parameter in SSH attack (SSHDICT) allows you to exclude detection of events that have a lower probability than the parameter.
- The Configuration section was added to the Analysis Summary. Currently it informs you about active methods that are not assigned to any of perspective resulting in events not being shown. Once all active methods are assigned to any perspective, this notification disappears. It can also be disabled in the settings in the same way as the other sections.
- The three-dot menu is also now available for the IDS events and it contains the relevant options.
- The Open in FMC & add to filter option has been added to the event three-dot menu to allow you to quickly get to the Monitoring Center for subsequent flow analysis.
- Custom scripts can also now export event subtype and MITRE ATT&CK® tactics. To do this, enable the Extended version check box when adding a new script in Settings → System Settings → Custom Scripts. In the Extended version you can also select the tab-separated or JSON format of the event data provided.
- The page no longer refreshes when an IP address is added to a Filter (allowing you to retain context), for example, during configuration tuning on the Analysis or Events pages. However, because of this change, the data displayed on the page might be outdated.
- You can now copy attributes in the Event Detail → Attributes tab when you click on them.
- The settings for integration with ePO were extended with the Timeout parameter that can be adjusted to receive information when the connection is slow. Moreover, you can now use the Test Connection option without needing to save the settings and it shows output for the tested IP addresses.
- The report as false positive feature was removed because it was not frequently used. This feature was used to report false positive events to Flowmon support, not to mark events as false positives in the Flowmon ADS (the "Mark as false positive" feature is still available).
- The Assigned Filters sections in the Detection Methods chapter of the User Guide have been updated to provide a clearer explanation of how filters work within each detection method and how they influence the processing of flow data.
- MITRE ATT&CK updated to version 17.1 for mapping to Flowmon ADS detections.
Fixed Issues
Issues fixed in Flowmon ADS 12.5.5
| Ticket number | Issue topic | Issue details | Resolution details |
|---|---|---|---|
| - | Security | CVE-2026-2513 | Fixed a vulnerability that could allow an administrator who clicks a malicious link to inadvertently trigger unintended actions within their authenticated web session. |
| - | Security | CVE-2026-2514 | Fixed a vulnerability that could allow unintended actions to be executed when viewing maliciously crafted network data. |
| - | Threat Briefings | A syntax error is displayed in the Monitoring Center during retrospective analysis when proto "ANY" is used. | The prefilled filter no longer contains unsupported syntax. |
Issues fixed in Flowmon ADS 12.5.4
| Ticket number | Issue topic | Issue details | Resolution details |
|---|---|---|---|
| - | Security | CVE-2025-13774 | Fixed an SQL injection vulnerability that allows authenticated users to execute unintended SQL queries and commands. |
Issues fixed in Flowmon ADS 12.5.3
| Ticket number | Issue topic | Issue details | Resolution details |
|---|---|---|---|
| 01783274 | DHCPANOM Method | Events for OversendingClientIP and OversendingClientNetwork were not generated when increasing the TrafficSizeThreshold, despite sufficient DHCP traffic being present. The event detail was misleading, and the calculation of traffic over time windows could skip intervals with no flows, causing detection to fail. | Improved the calculation of traffic intervals in DHCP anomaly detection to ensure correct event triggering and accurate event details, even when some time slots have no flows. |
| 01797782 | Behavior Patterns | The first flow of events detected by custom behavior pattern has value 1.1.1970. | Fixed an issue that caused wrong first flow timestamp when Event Source is set to Destination IP and at least one unpaired flow was processed. |
| - | Event Evidence | Some protocol numbers are not translated to protocol names in the Attached Flows table. | Missing protocol names were added. |
| - | Threat Briefings | There is no DNS flow data when analyzing related communications using Threat Briefing's Indicators of Compromise. | The prefilled filter used when visiting the Monitoring Center - Analysis from the Threat Briefings page was extended (the "dns-qname" filter) to search in the DNS traffic as well. |
| - | False Positive Label | Event contains the "False Positive" label even though there is no matching false positive rule. | Fixed an issue that caused deactivated False Positive rules to be evaluated incorrectly. |
Issues fixed in Flowmon ADS 12.5.2
| Ticket number | Issue topic | Issue details | Resolution details |
|---|---|---|---|
| 01755460 | Syslog message generation performance | Slow generation of syslog messages could cause delayed exports and a growing event queue, which negatively impacted overall system performance. | The function responsible for generating and exporting syslog messages was optimized. |
| - | Event Evidence | Some protocol numbers are not translated to protocol names in the flows table (for example, "47" should be "GRE"). | Missing protocol names were added. |
Issues fixed in Flowmon ADS 12.5.1
| Ticket number | Issue topic | Issue details | Resolution details |
|---|---|---|---|
| - | ePO integration | It was not possible to retrieve IP address information from the ePO server. | Flowmon ADS requests enforce the supported format of data. You can now change the request timeout from the previously hardcoded 5s value up to 300s to get the response from a slow ePO server. |
Known Issues
- REST Application Programming Interface (API) calls only work in the tenant that the user was created in. Currently, there is no API call to switch tenant. This means that the base tenant admin cannot switch to the subtenant to adjust the configuration using the REST API.
- When working in multiple browser tabs and switching to a different tenant in one tab, you should refresh the other tabs to prevent unexpected issues when making changes in tabs where the tenant was not manually switched.
- Reports imported from configuration files generated in Flowmon ADS 12.3.0 or older do not contain report chapters created in Flowmon ADS → Report Chapters. The faulty imports are accompanied with an error message, for example: "Cannot display widget 'Events by type for all - Critical'. Please contact your administrator to grant you access to this chapter.". The affected reports must be re-created.
Release Information
Flowmon Anomaly Detection System
Version: 12.5.5
Date: 12th March 2026
This package can be used for new installation or to upgrade Flowmon ADS on a Flowmon appliance.
Copyright notice
Copyright © 2007 - 2026 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
Support information
If you need help, contact our Support team at the Flowmon Support and Learning Hub.
Compatibility
-
This package is compatible with Flowmon 12.4.0 or higher.
-
This package is compatible with Flowmon Packet Investigator 12.3.0 or higher.
Dependencies
The following table summarizes the minimum required versions of Flowmon and Flowmon ADS for various versions of the package.
The table only lists versions with dependency changes.
| Flowmon ADS version | Minimum required version of Flowmon | Minimum required version of ADS | Notes |
|---|---|---|---|
| 12.4.0 | 12.4.0 | 12.3.0 | |
| 12.3.0 | 12.3.5 | 12.2.0 | |
| 12.2.0 | 12.3.0 | 11.1.1* | *ADS 12.0.4+ is needed when upgrading FM to 12.3.0 |
| 12.1.0 | 12.2.0 | 11.1.1* | *ADS 12.0.4+ is needed when upgrading FM to 12.2.0 |
| 12.0.0 | 12.0.0 | 11.1.1* | *ADS 11.2.4+ is needed when upgrading FM to 12.0.0 |
| 11.4.1 | 11.1.9 | 10.0.0* | *ADS 11.1.1+ is needed when upgrading FM to 11.1.9 |
| 11.3.2 | 11.1.7 | 10.0.0* | *ADS 11.1.1+ is needed when upgrading FM to 11.1.7 |
| 11.3.0 | 11.1.6 | 10.0.0* | *ADS 11.1.1+ is needed when upgrading to 11.1.6 |
| 11.2.0 | 11.1.0 | 10.0.0* | *ADS 11.1.1+ is needed when upgrading FM to 11.1.0 |
| 11.0.4 | 11.0.1 | 10.0.0 |
Installation
The installation requires a Flowmon ADS license. To upgrade from previous major versions, a license with the Standard or Extended Support is required.
The first installation and uninstallation of Flowmon ADS restarts the flow collector for a short period of time, during which flow data is not collected. This affects traffic charts in the Flowmon Monitoring Center and the event chart in Flowmon ADS.
- Download the package from the Support portal. Do NOT unpack it.
- Log in to Flowmon Configuration Center on your Flowmon appliance.
- Open the Version page.
- Click Import package and choose the installation package.
- Wait until a notification is displayed informing you that the update was successful.
After upgrading from a previous major version, the web User Interface (UI) may display incorrectly with visual issues like missing text. If that happens, try to clear the browser cache.
Cleaning local storage in Firefox/Chrome browser:
- Press F12 on your keyboard to open developer tools.
- Select the Console tab.
- Type the following command: localStorage.clear();
- Press enter to confirm the command.
Notes
The Czech and Japanese translations (User Guide and texts added or changed in the UI) might not be available with beta releases. The translations will be available with the stable release at the latest.