Progress Software has addressed multiple high-severity security flaws in its LoadMaster software that could be exploited by malicious actors to execute arbitrary system commands or download any file from the system.
Kemp LoadMaster is a high-performance application delivery controller (ADC) and load balancer that provides availability, scalability, performance, and security for business-critical applications and websites.
The identified vulnerabilities are listed below –
- CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135 (CVSS scores: 8.4) – A set of improper input validation vulnerabilities that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to execute arbitrary system commands via a carefully crafted HTTP request
- CVE-2024-56134 (CVSS score: 8.4) – An improper input validation vulnerability that allows remote malicious actors who gain access to the management interface of LoadMaster and successfully authenticate to download the content of any file on the system via a carefully crafted HTTP request
The following versions of the software are affected by the flaws –
- LoadMaster versions from 7.2.55.0 to 7.2.60.1 (inclusive) - Fixed in 7.2.61.0 (GA)
- LoadMaster versions from 7.2.49.0 to 7.2.54.12 (inclusive) – Fixed in 7.2.54.13 (LTSF)
- LoadMaster version 7.2.48.12 and prior – Upgrade to LTSF or GA
- Multi-Tenant LoadMaster version 7.1.35.12 and prior – Fixed in 7.1.35.13 (GA)
Progress Software noted that it has no evidence that any of the aforementioned vulnerabilities have been exploited in the wild. That said, with previously disclosed flaws weaponized by threat actors in the past, it’s essential that customers apply the latest patches for optimal protection.
