cbcvebase.
CVE-2024-1212
published 2024-02-21

CVE-2024-1212: Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-12-09
Exploited in the wild
EPSS
95.39%
99.9th percentile
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
progressloadmaster>= 7.2.48.1 < 7.2.48.107.2.48.10
progressloadmaster>= 7.2.54.0 < 7.2.54.87.2.54.8
progressloadmaster>= 7.2.55.0 < 7.2.59.27.2.59.2
progress_softwareloadmaster>= 7.2.48.1 < 7.2.48.107.2.48.10
progress_softwareloadmaster>= 7.2.54.0 < 7.2.54.87.2.54.8
progress_softwareloadmaster>= 7.2.55.0 < 7.2.59.27.2.59.2

Detection & IOCsextracted from sources · hover to see the quote

url/access/set?param=enableapi&value=1
otherBasic JztsczsnOmRvZXNub3RtYXR0ZXI=
sigma
shodan-query: html:"LoadMaster"
  • Monitor for unauthenticated GET requests to /access/set?param=enableapi&value=1 on the LoadMaster management interface, which is the exploit path used to enable the API and trigger command injection.
  • Alert on HTTP responses from the LoadMaster management interface containing both 'bin' and 'mnt' in the body with HTTP 200 status, which indicates successful command injection and directory listing output.
  • The vulnerability is exploited via the Authorization header in the LoadMaster management interface; monitor for malformed or injection-containing Authorization header values on the management interface.
  • Detect anomalous HTTP POST/GET requests to administrator URLs on LoadMaster appliances, particularly those containing shell metacharacters or command injection payloads in the admin parameter.
  • ·The vulnerability was identified in version 7.2.59.0.22007 and patched in version 7.2.59.2.22338; use these exact build numbers for version-based detection rules.
  • ·No details about active exploitation activity or ransomware campaign attribution have been published; threat actor TTPs beyond initial access are unknown.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.