CVE-2024-1212 | Unauthenticated remote attackers can access the system throu… | CVSS 10.0 CRITICAL

Description

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Metadata

CVE ID: CVE-2024-1212
State: PUBLISHED
Assigner: ProgressSoftware
Reserved: 2024-02-02 18:16 UTC
Published: 2024-02-21 17:39 UTC
Last updated: 2025-10-21 23:05 UTC
Primary CWE: CWE-78
CWE-78 Improper Neutralization of Special Elements used in a…
Vendor / Product: Progress Software / LoadMaster
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: ACTIVE
Automatable: yes
Tech. Impact: total

CISA Known Exploited Vulnerability

Vulnerability name: Progress Kemp LoadMaster OS Command Injection Vulnerability
Vendor: Progress
Product: Kemp LoadMaster
Added to KEV: 2024-11-18
Due date: 2024-12-09
Ransomware: Not known

Required action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA description

Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Affected products (1)

Vendor	Product	Platform	Versions
Progress Software	LoadMaster	Linux	7.2.48.1 < 7.2.48.10, 7.2.54.0 < 7.2.54.8, 7.2.55.0 < 7.2.59.2

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (4)