LoadMaster Progress is vulnerable to a severity 10/10 RCE vulnerability

Progress Software has released an emergency patch for a maximum severity (10/10) security vulnerability affecting LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that could allow remote attackers to execute commands on the device.

The vulnerability, identified as CVE-2024-7591, is classified as an improper input validation issue that allows an unverified remote attacker to access the LoadMaster management interface via a specially crafted HTTP request.

However, lack of sanitization of user-input data may also allow an attacker to execute arbitrary system commands on vulnerable endpoints.

“Unauthenticated remote attackers with access to the LoadMaster management interface can send a carefully crafted HTTP request that could allow the execution of arbitrary system commands,” the security bulletin reads.

“This vulnerability was closed by sanitizing user input to restrict the execution of arbitrary system commands.”

LoadMaster is an application delivery controller (ADC) and load balancing solution used by large organizations to optimize application performance, manage network traffic, and ensure high service availability.

MT Hypervisor is a version of LoadMaster designed for multi-tenant environments, allowing multiple virtual network functions to run on the same hardware.

CVE-2024-7591 was discovered to affect LoadMaster version 7.2.60.0 and all previous releases, as well as MT Hypervisor version 7.1.35.11 and all previous releases. This also affects the Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches.

To fix this vulnerability, Progress has released an add-on package that can be installed on any vulnerable version, including older releases. So there is no need to update to eliminate the risk of this vulnerability.

However, the fix does not apply to the free version of LoadMaster, so CVE-2024-7591 is still an issue there.

Progress Software says that at the time of this bulletin’s publication it had not received any reports of this vulnerability being actively exploited.

Nevertheless, all LoadMaster users are advised to take appropriate measures to protect their environment against such an eventuality, including installing the add-on and implementing the vendor-recommended security measures.