CVE-2024-1212
published 2024-02-21CVE-2024-1212: Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-09
Exploited in the wild
EPSS
95.39%
99.9th percentile
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | loadmaster | >= 7.2.48.1 < 7.2.48.10 | 7.2.48.10 |
| progress | loadmaster | >= 7.2.54.0 < 7.2.54.8 | 7.2.54.8 |
| progress | loadmaster | >= 7.2.55.0 < 7.2.59.2 | 7.2.59.2 |
| progress_software | loadmaster | >= 7.2.48.1 < 7.2.48.10 | 7.2.48.10 |
| progress_software | loadmaster | >= 7.2.54.0 < 7.2.54.8 | 7.2.54.8 |
| progress_software | loadmaster | >= 7.2.55.0 < 7.2.59.2 | 7.2.59.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/access/set?param=enableapi&value=1
otherBasic JztsczsnOmRvZXNub3RtYXR0ZXI=
sigma
shodan-query: html:"LoadMaster"
- →Monitor for unauthenticated GET requests to /access/set?param=enableapi&value=1 on the LoadMaster management interface, which is the exploit path used to enable the API and trigger command injection.
- →Alert on HTTP responses from the LoadMaster management interface containing both 'bin' and 'mnt' in the body with HTTP 200 status, which indicates successful command injection and directory listing output.
- →The vulnerability is exploited via the Authorization header in the LoadMaster management interface; monitor for malformed or injection-containing Authorization header values on the management interface. ↗
- →Detect anomalous HTTP POST/GET requests to administrator URLs on LoadMaster appliances, particularly those containing shell metacharacters or command injection payloads in the admin parameter. ↗
- ·The vulnerability was identified in version 7.2.59.0.22007 and patched in version 7.2.59.2.22338; use these exact build numbers for version-based detection rules. ↗
- ·No details about active exploitation activity or ransomware campaign attribution have been published; threat actor TTPs beyond initial access are unknown. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8vv7-j7w3-28ww: Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution
ghsa_unreviewed·2024-02-21
CVE-2024-1212 [CRITICAL] CWE-78 GHSA-8vv7-j7w3-28ww: Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
VulnCheck
Progress Kemp LoadMaster OS Command Injection Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-1212 [CRITICAL] CWE-78 Progress Kemp LoadMaster OS Command Injection Vulnerability
Progress Kemp LoadMaster OS Command Injection Vulnerability
Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Affected: Progress Kemp LoadMaster
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-29&host_type=src&vulnerability=cve-2024-1212; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-30&host_type=src&vulnerability=cve-2024-1212; https://dashboard.shadowserver.org/statistics/honeypot/v
CISA
Progress Kemp LoadMaster OS Command Injection Vulnerability
cisa·2024-11-18·CVSS 9.8
CVE-2024-1212 [CRITICAL] CWE-78 Progress Kemp LoadMaster OS Command Injection Vulnerability
Vulnerability: Progress Kemp LoadMaster OS Command Injection Vulnerability
Affected: Progress Kemp LoadMaster
Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://community.progress.com/s/article/Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212 ; https://nvd.nist.gov/vuln/detail/CVE-2024-1212
Remediation Due Date: 2024-12-09
Suricata
ET EXPLOIT Progress Kemp LoadMaster RCE Attempt Inbound (CVE-2024-1212)
suricata·2024-11-19·CVSS 10.0
CVE-2024-1212 [CRITICAL] ET EXPLOIT Progress Kemp LoadMaster RCE Attempt Inbound (CVE-2024-1212)
ET EXPLOIT Progress Kemp LoadMaster RCE Attempt Inbound (CVE-2024-1212)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Progress Kemp LoadMaster RCE Attempt Inbound (CVE-2024-1212)"; flow:established,to_server; http.header; header_lowercase; content:"authorization|3a 20|Basic|20|"; fast_pattern; base64_decode:offset 0,relative; base64_data; content:"|27 3b|"; reference:cve,2024-1212; classtype:bad-unknown; sid:2057720; rev:1; metadata:attack_target Server, created_at 2024_11_19, cve CVE_2024_1212, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_n
Suricata
ET WEB_SPECIFIC_APPS Progress Kemp Loadmaster Unauthenticated Command Injection (CVE-2024-1212)
suricata·2024-09-24·CVSS 10.0
CVE-2024-1212 [CRITICAL] ET WEB_SPECIFIC_APPS Progress Kemp Loadmaster Unauthenticated Command Injection (CVE-2024-1212)
ET WEB_SPECIFIC_APPS Progress Kemp Loadmaster Unauthenticated Command Injection (CVE-2024-1212)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Kemp Loadmaster Unauthenticated Command Injection (CVE-2024-1212)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:35; content:"/access/set?param=enableapi&value=1"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|"; base64_decode:bytes 100, offset 0, relative; base64_data; pcre:"/\x3b.{0,100}\x3b/"; reference:url,rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/; reference:cve,2024-1212; classtype:attempted-admin; sid:2056142; rev:1; metadata:affected_product Progress_Kemp_Loadmaster, attack_target Networking_Equipment
Nuclei
Progress Kemp LoadMaster - Command Injection
nuclei·CVSS 9.8
CVE-2024-1212 [CRITICAL] Progress Kemp LoadMaster - Command Injection
Progress Kemp LoadMaster - Command Injection
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Template:
id: CVE-2024-1212
info:
name: Progress Kemp LoadMaster - Command Injection
author: DhiyaneshDK
severity: critical
description: |
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
impact: |
Unauthenticated attackers can execute arbitrary system commands through the LoadMaster management interface, leading to complete system compromise.
remediation: |
Upgrade to LoadMaster versions 7.2.59.2, 7.2.54.8, or 7.2.48.10 depending on your current version.
reference:
- https://rhinosecuritylabs.com/researc
Metasploit
Kemp LoadMaster Unauthenticated Command Injection
metasploit
Kemp LoadMaster Unauthenticated Command Injection
Kemp LoadMaster Unauthenticated Command Injection
This module exploits an unauthenticated command injection vulnerability in Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1. The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and 7.2.48.10 (LTS).
Metasploit
Kemp LoadMaster Local sudo privilege escalation
metasploit
Kemp LoadMaster Local sudo privilege escalation
Kemp LoadMaster Local sudo privilege escalation
This module abuses a feature of the sudo command on Progress Kemp LoadMaster. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. Some files have this permission are not write-protected from the default 'bal' user. As such, if the file is overwritten with an arbitrary file, it will still auto-elevate. This module overwrites the /bin/loadkeys file with another executable.
Hackernews
Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
blogs_hackernews·2026-06-30·CVSS 9.6
CVE-2026-8037 [CRITICAL] Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API.
The flaw, tracked as CVE-2026-8037 , carries a CVSS score of 9.8 according to ZDI . A patch is available. If you run LoadMaster with the API enabled, update now.
Progress published its advisory on June 4 and says it has not received any reports of exploitation. On June 29, researchers at watchTowr Labs published a detailed technical write-up that walks through the full
Bleepingcomputer
CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
blogs_bleepingcomputer·2024-11-19·CVSS 9.3
CVE-2024-1212 [CRITICAL] CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster.
The flaw, discovered by Rhino Security Labs and tracked as CVE-2024-1212, was addressed via an update released on February 21, 2024 . However, this is the first report of it being under active exploitation in the wild.
“Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution,” reads the flaw’s description .
CVE-2024-
Checkpoint
25th March – Threat Intelligence Report
blogs_checkpoint·2024-03-25
CVE-2024-29943 25th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 25th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 25th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Japanese tech company Fujitsu discovered malware on its work computers, risking exposure of customer data. The company, a leading IT firm, detected unauthorized access that potentially allowed personal and customer information to be illicitly extracted. Immediate actions included isolating affected computers and enhancing mon
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
Kemp Technologies (CVE-2024-1212) Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 9.8
CVE-2024-1212 [CRITICAL] Kemp Technologies (CVE-2024-1212) Vulnerability: Analysis, Impact, Mitigation | Huntress
## Kemp Technologies (CVE-2024-1212) Vulnerability
Published: 11/21/2025
Written by: Lizzie Danielson
## What is Kemp Technologies (CVE-2024-1212) vulnerability?
Kemp Technologies (CVE-2024-1212) is a critical remote code execution (RCE) vulnerability affecting specific versions of Kemp LoadMaster appliances. This flaw stems from a lack of user input validation in the administrative interface, which could allow attackers to execute arbitrary code remotely. Kemp Technologies (CVE-2024-1212) is categorized as a high-severity vulnerability, posing significant risks to systems if left unpatched.
## When was it discovered?
The Kemp Technologies (CVE-2024-1212) vulnerability was disclosed publicly on 2/21/2024. The vulnerability was promptly reported to Kemp Technologies before a patch was
https://freeloadbalancer.com/https://kemptechnologies.com/https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212https://freeloadbalancer.com/https://kemptechnologies.com/https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1212
2024-02-21
Published
2024-11-18
Added to CISA KEV
Exploited in the wild