CVE-2024-7591 (CVSS 10): Critical Vulnerability Discovered in Progress LoadMaster

Progress Software Corporation has issued a security advisory for a critical vulnerability (CVE-2024-7591) affecting its LoadMaster application delivery controller (ADC) and load balancer solution. The vulnerability, which carries a CVSS score of 10, has the potential to allow unauthenticated, remote attackers to execute arbitrary system commands through the management interface of LoadMaster.

What Is LoadMaster?

Progress LoadMaster is a high-performance ADC and load balancing solution designed to ensure the availability, scalability, performance, and security of critical applications and websites for organizations across industries. However, the recently discovered flaw highlights a significant security risk for those running unpatched versions of the software.

Understanding the Vulnerability: CVE-2024-7591

The vulnerability arises from improper input validation, allowing attackers to inject OS commands through crafted HTTP requests targeting the management interface of LoadMaster. This flaw enables potential malicious actors to execute commands on the underlying operating system without authentication. While there have been no confirmed reports of exploitation, the severity of the issue has led Progress to urge all customers to immediately patch their systems.

Affected Products and Versions

The following products and versions are impacted:

• LoadMaster versions 7.2.60.0 and earlier.
• Multi-Tenant Hypervisor versions 7.1.35.11 and earlier.

This vulnerability also affects Multi-Tenant LoadMaster (LoadMaster MT), specifically the individual instantiated LoadMaster VNFs and the MT hypervisor or Manager node. These components must be patched promptly to prevent potential exploitation.

Mitigation and Patch Availability

Progress Software has issued an add-on package that addresses the vulnerability by sanitizing user input to prevent arbitrary command execution. The package is available for download and can be installed on any version of LoadMaster, even if the unit is no longer supported.

To install the patch, customers should navigate to the System Configuration > System Administration > Update Software section of the LoadMaster UI. The package can be downloaded from the following links:

• CVE-2024-7591 Add-On Package
• Checksum File

What to Do Next

Although Progress has stated that they have not received reports of active exploitation, the critical nature of this vulnerability means that any delay in patching could leave organizations exposed to serious security risks. IT administrators and security teams should:

1. Immediately apply the add-on patch to all affected systems.
2. Ensure all LoadMaster systems are up-to-date with the latest security fixes.
3. Monitor network traffic for any signs of unusual activity that could indicate an attempted exploitation.

In addition to applying the patch, regular security audits and vulnerability assessments should be conducted to ensure the ongoing safety of critical infrastructure.

Related Posts:

• PoC Exploit Available for CVE-2024-1212 (CVSS 10): Patch Kemp LoadMaster Now
• ‘In the Wild’ Attacks Target Critical Vulnerability (CVE-2024-1212) in Progress Kemp Loadmaster
• CVE-2024-1212 (CVSS 10): Unauthenticated Takeover Threat in Progress Kemp LoadMaster
• Critical Citrix Vulnerabilities Expose Sensitive Data, Cause DoS
• Critical Zero-Day Vulnerability in Citrix ADC and Gateway