What is the critical security vulnerability identified in Progress LoadMaster?

Progress has identified a critical security vulnerability in its LoadMaster product line, including all LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. The vulnerability, tracked as CVE-2024-7591 (CVSS score 10), allows unauthenticated, remote attackers to execute arbitrary code on affected systems.

What causes the CVE-2024-7591 vulnerability in LoadMaster?

The CVE-2024-7591 vulnerability is caused by improper input validation on the LoadMaster management interface. An attacker could exploit this flaw by sending a specially crafted HTTP request, enabling the execution of arbitrary system commands on the target.

Which versions of LoadMaster are affected by CVE-2024-7591?

All LoadMaster versions up to 7.2.60.0 and all LoadMaster Multi-Tenant Hypervisor versions up to 7.1.35.11 are affected by CVE-2024-7591.

What has Progress released to address the CVE-2024-7591 vulnerability?

Progress has released an add-on package designed to sanitize user input and prevent the execution of arbitrary commands. This patch, which includes an XML validation file, was made available on September 3, 2024, for all affected versions of LoadMaster.

What should LoadMaster users do to mitigate the CVE-2024-7591 vulnerability?

Users are advised to install the add-on package immediately through the System Configuration > System Administration > Update Software UI page and adhere to Progress's security hardening guidelines to secure LoadMaster environments and reduce potential vulnerabilities.

Have there been any reported exploits of the CVE-2024-7591 vulnerability?

No reported exploits of this vulnerability have been observed to date.

Incident

Avis car rental reports data breach impacting customers

published: Sept. 6, 2024

Learn More

American car rental giant Avis has disclosed a data breach that affected some of its customers' personal information. The breach occurred when unknown attackers gained unauthorized access to one of Avis's business applications.

The unauthorized access took place between August 3 and August 6, 2024. The breach was discovered by Avis on August 5, 2024. After discovering the breach, Avis took steps to terminate the unauthorized access and initiated an investigation with external cybersecurity experts.

The company notified relevant authorities and impacted customers, including filings with California's Office of the Attorney General and South Carolina's Department of Consumer Affairs.

The stolen information includes customers' names and potentially other sensitive data. The specific types of other sensitive information and the number of impacted customers have not been disclosed.

Update - as of 9th of September, it's reported that the incident exposed 300,000 customers.

Avis is warning affected customers and advising them to monitor their credit history and account statements for any unauthorized activities and is providing affected customers with a complimentary one-year membership to Equifax's credit monitoring service.

Avis car rental reports data breach impacting customers

Read More
Hacker gang Cyber Army Russia Reborn claim attack …
Hacker claims breach of Australian logistic Victorian Freight …
FedEx Corporation Group Health Plan reports data breach …
U-Haul reports data breach, 67,000 customers impacted
Europcar GitLab repository breach exposes data of up …