Progress Kemp LoadMaster has maximum severity critical flaw
Take action: If you are using Progress Kemp LoadMaster or ECS Connection Manager, isolate them in secure network access and patch ASAP. The exploit is trivial and all it takes is for PoC to be published before all hacker groups start exploiting it.
Learn More
A critical vulnerability is reported in Progress Kemp's LoadMaster, a widely utilized cloud-based application delivery platform.
The flaw is tracked as CVE-2024-1212 (CVSS score 10) and enables unauthorized, remote attackers to execute arbitrary system commands on the LoadMaster platform via a specially crafted API command, without requiring authentication. The vulnerability impacts all versions of the LoadMaster platform after version 7.2.48.1. The security flaw is also present in the ECS Connection Manager Product from Progress Kemp.
Progress Kemp has released several patches across different versions of the LoadMaster to mitigate the risks associated with this flaw. For users of the free version of LoadMaster, it is advised to back up their configuration, deploy a new version of the platform that does not contain the vulnerability, and then restore their configuration from the backup.
Additionally, Progress Kemp has updated its password policy and strongly recommends that all customers adhere to the new guidelines and reset their passwords accordingly. The firm also advises customers to follow their security hardening guidelines to further protect against potential threats.
There have been no reported instances of it being exploited in the wild as of the advisory's publication. Progress Kemp advises isolation of the LoadMaster's management interface in a dedicated network interface.
