Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
An attacker gains access to the system through the LoadMaster management interface without requiring any credentials. The vulnerability is classified as command injection (CWE-78), meaning that input data supplied by the attacker is passed directly to the system shell without proper validation or sanitization. This allows execution of arbitrary commands with the privileges of the process handling the management interface.
An unauthenticated attacker can take full control of the device by executing arbitrary system commands — which includes data theft, configuration modification, backdoor installation, and potential lateral movement within the internal network.
LoadMaster software must be updated immediately to version LMOS 7.2.59.2, 7.2.54.8, or 7.2.48.10 (depending on the branch in use). Additionally, it is recommended to restrict access to the management interface only to trusted IP addresses and to isolate the management interface from the production network.
Progress LoadMaster — versions indicated in the manufacturer's references (patch available in LMOS 7.2.59.2, 7.2.54.8, and 7.2.48.10 versions according to the manufacturer's documentation)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HProgress Loadmaster
APPProgress7.2.48.1 – 7.2.48.10 (bez)7.2.54.0 – 7.2.54.8 (bez)7.2.55.0 – 7.2.59.2 (bez)
CISA KEV — detailsi
- Vendori
- Progress ↗
- Producti
- Kemp LoadMaster
- Added to KEVi
- November 18, 2024
- Remediation deadline (US Federal)i
- December 9, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Related vulnerabilities
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticate...
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticat...
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticat...
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticat...
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated...