Progress Software has released an emergency patch for a critical 10/10 severity vulnerability (CVE-2024-7591) in its LoadMaster products, allowing remote command execution. Users are urged to update immediately to prevent potential attacks.
Progress Software, a leading provider of software solutions for application delivery and management, has recently issued an emergency fix for a critical vulnerability that impacts its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products.
What is LoadMaster?
LoadMaster is a family of load balancers and application delivery controllers (ADCs) developed by Kemp Technologies. These devices are used to improve the performance, scalability, and availability of web applications and services by distributing network traffic across multiple servers. Kemp Technologies was acquired by Progress Software in September 2021.
10/10 CVSS score
The vulnerability, identified as CVE-2024-7591, is considered highly dangerous due to its severity rating of 10 out of 10 on the Common Vulnerability Scoring System (CVSS). This rating means that the vulnerability is critical and can be easily exploited by unauthenticated remote attackers seeking to gain control of the affected systems.
The flaw lies within the management interface of LoadMaster products, allowing attackers to send specially crafted HTTP requests that could lead to the execution of arbitrary system commands on the device. This poses significant risks to organizations that depend on LoadMaster for load balancing and network management.
Affected Products
The vulnerability affects all versions of LoadMaster and the LoadMaster Multi-Tenant Hypervisor, except the most recent releases. Customers can obtain the necessary update by downloading an add-on package from Progress Software’s support portal. The add-on package includes a file for XML validation and can be installed on any LoadMaster release, even those no longer supported.
In addition to applying the emergency fix, organizations should also follow security hardening guidelines and restrict access to the management interface to trusted IP addresses. This will help minimize the likelihood of unauthorized access and potential exploitation.
Progress Software has not reported any incidents of the vulnerability being exploited thus far. However, the company is urging all users of LoadMaster products to upgrade their systems as soon as possible to mitigate any potential threats.
Why You Should Act Now
Jason Soroko, Senior Fellow at cybersecurity firm Sectigo, emphasized the urgency of addressing this flaw. He noted that given the widespread use of LoadMaster for balancing traffic in enterprise environments, neglecting to patch this vulnerability could lead to devastating consequences.
Soroko also pointed to the company’s recent challenges following the MOVEit breach, adding that this new issue could further expose Progress Software to security risks.
“The CVE-2024-7591 vulnerability in Progress Software’s LoadMaster products is highly critical due to its 10/10 CVSS score and security teams should immediately apply the emergency fix, isolate vulnerable systems from untrusted networks, and restrict access to the management interface to trusted IPs only,“ Soroko advised.
RELATED TOPICS
- Fake Popular Software Ads Deliver New MadMxShell Backdoor
- Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit
- TDECU Data Breach: 500K+ Members Affected by MOVEit Exploit
- StormBamboo Targets ISPs, Spreads Malware via Software Updates
- Fickle Stealer Exploits Software Flaws to Steal Crypto, Browser Data