Progress Software has released a patch for a critical vulnerability affecting its LoadMaster application delivery controller (ADC) and load balancer solution. and allow unauthenticated, remote attackers to execute arbitrary system commands through the management interface of Loadmaster.
The vulnerability tracked as CVE-2024-7591 with a CVSS score of 10, arises from improper input validation, allowing attackers to inject OS commands through crafted HTTP requests targeting the management interface of LoadMaster. This flaw enables potential malicious actors to execute commands on the underlying operating system without authentication. While there have been no confirmed reports of exploitation, the severity of the issue has led Progress to urge all customers to immediately patch their systems.
Affected Products and Versions
- LoadMaster versions 7.2.60.0 and earlier.
- Multi-Tenant Hypervisor versions 7.1.35.11 and earlier.
This vulnerability also affects Multi-Tenant LoadMaster, specifically the individual instantiated LoadMaster VNFs and the MT hypervisor or Manager node. These components must be patched promptly to prevent potential exploitation.
Progress Software has issued an add-on package that addresses the vulnerability by sanitizing user input to prevent arbitrary command execution. The package is available for download and can be installed on any version of LoadMaster, even if the unit is no longer supported.
Progress has stated that they have not received reports of active exploitation, its recommended to update as soon as possible.
