"Progress LoadMaster Vulnerable to 10/10 Severity RCE Flaw"

Progress Software has recently issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allow attackers to remotely execute commands on the device.  The company said the flaw tracked as CVE-2024-7591 is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request.  The lack of user input sanitization could also enable the attacker to execute arbitrary system commands on vulnerable endpoints.  The company noted that it is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted HTTP request that will allow arbitrary system commands to be executed.  CVE-2024-7591 was found to impact LoadMaster version 7.2.60.0 and all previous versions, the MT Hypervisor version 7.1.35.11, and all prior releases.  Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches are also impacted.  To fix the flaw, Progress released an add-on package that can be installed on any of the vulnerable versions, including older releases, so there are no target versions to upgrade to in order to address the risk from this vulnerability.  The company noted that the patch does not apply to the free version of LoadMaster, so CVE-2024-7591 remains a problem there.

BleepingComputer reports: "Progress LoadMaster Vulnerable to 10/10 Severity RCE Flaw"