Progress LoadMaster critical vulnerability allows hackers to execute arbitrary code
Take action: If you are running Progress LoadMaster, first make sure the management interface is isolated from the internet and accessible only from a trusted network. Then plan a patch as soon as possible, because all it takes is a single compromised endpoint through phishing or malware to attack the system.
Learn More
Progress has identified a critical security vulnerability in its LoadMaster product line, including all LoadMaster releases and the LoadMaster Multi-Tenant (MT) hypervisor. Progress LoadMaster is an application delivery controller (ADC) and load balancer designed to ensure the availability, scalability, performance, and security of business-critical applications and websites.
The vulnerability, tracked as CVE-2024-7591 (CVSS score 10), allows unauthenticated, remote attackers to execute arbitrary code on affected systems. It stems from improper input validation on the LoadMaster management interface. An attacker could exploit this vulnerability by sending a specially crafted HTTP request, which would enable the execution of arbitrary system commands on the target. This flaw poses a significant risk to the overall security of affected systems.
Impacted Versions
- LoadMaster Versions: All versions up to 7.2.60.0.
- LoadMaster Multi-Tenant Hypervisor Versions: All versions up to 7.1.35.11.
This vulnerability specifically targets individual instantiated LoadMaster Virtual Network Functions (VNFs) as well as the MT hypervisor or Manager node. While no reported exploits of this vulnerability have been observed to date, Progress urges all customers to secure their systems immediately.
Progress has released an add-on package designed to sanitize user input and prevent the execution of arbitrary commands. This patch, which includes an XML validation file, was made available on September 3, 2024, for all affected versions of LoadMaster, irrespective of the support status of the unit.
Users are advised to install this add-on package immediately through the System Configuration > System Administration > Update Software UI page.
In addition to applying the patch, Progress recommends that all customers adhere to their security hardening guidelines, which provide best practices for securing LoadMaster environments and reducing potential vulnerabilities.
