CVE-2024-1212

LoadMaster Pre-Authenticated OS Command Injection

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Los atacantes remotos no autenticados pueden acceder al sistema a través de la interfaz de administración de LoadMaster, lo que permite la ejecución arbitraria de comandos del sistema.

*Credits: Rhino Security Labs

CVSS Scores

Progress Software Corporationv3.1 10.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-02 CVE Reserved
2024-02-21 CVE Published
2024-03-19 First Exploit
2024-08-12 CVE Updated
2024-11-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

CAPEC-88: OS Command Injection
CAPEC-113: Interface Manipulation
CAPEC-115: Authentication Bypass

References (9)

URL	Tag	Source
https://freeloadbalancer.com	Product
https://kemptechnologies.com	Product
https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster
https://kemptechnologies.com/kemp-load-balancers

URL	Date	SRC
https://github.com/Chocapikk/CVE-2024-1212	2024-03-19
https://github.com/MuhammadWaseem29/CVE-2024-1212	2024-09-04
https://github.com/nak000/CVE-2024-1212	2024-09-04

URL	Date	SRC

URL	Date	SRC
https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212	2024-02-22
https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212	2024-02-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Progress Software Search vendor "Progress Software"		LoadMaster Search vendor "Progress Software" for product "LoadMaster"				>= 7.2.48.1 < 7.2.48.10 Search vendor "Progress Software" for product "LoadMaster" and version " >= 7.2.48.1 < 7.2.48.10"		en		Affected
Progress Software Search vendor "Progress Software"		LoadMaster Search vendor "Progress Software" for product "LoadMaster"				>= 7.2.54.0 < 7.2.54.8 Search vendor "Progress Software" for product "LoadMaster" and version " >= 7.2.54.0 < 7.2.54.8"		en		Affected
Progress Software Search vendor "Progress Software"		LoadMaster Search vendor "Progress Software" for product "LoadMaster"				>= 7.2.55.0 < 7.2.59.2 Search vendor "Progress Software" for product "LoadMaster" and version " >= 7.2.55.0 < 7.2.59.2"		en		Affected