cbcvebase.
CVE-2024-7591
published 2024-09-05

CVE-2024-7591: Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All…

PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
44.07%
98.6th percentile
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects:

* LoadMaster: 7.2.40.0 and above

* ECS: All versions

* Multi-Tenancy: 7.1.35.4 and above

Affected

3 ranges
VendorProductVersion rangeFixed in
kemptechnologiesloadmaster7.2.40.0 – 7.2.60.0
kemptechnologiesmulti-tenant_hypervisor_firmware>= 7.1.35.4 < 7.1.35.117.1.35.11
progressloadmaster>= 7.2.40.0 < 7.2.60.17.2.60.1

Detection & IOCsextracted from sources · hover to see the quote

url/progs/status/login
url/progs/homepage
commandpass=%01%78%78%78%78%78%78%78%27%3b%70%69%6e%67%20%2d%63%20%32%20<payload>%3b%65%63%68%6f%20%27%01
othershodan:html:"Kemp Login Screen"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/progs/status/login"; fast_pattern; http.request_body; content:"pass|3d|"; pcre:"/^[^\x26\s]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,insinuator.net/2024/11/vulnerability-disclosure-command-injection-in-kemp-loadmaster-load-balancer-cve-2024-7591; reference:cve,2024-7591; classtype:web-application-attack; sid:2062294; rev:1; metadata:affected_product Progress_Kemp_Loadmaster, attack_target Server, created_at 2025_05_13, cve CVE_2024_7591, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets POST /progs/status/login with a crafted 'pass' parameter containing shell metacharacters (semicolons, backticks, pipes, dollar signs) or their URL-encoded equivalents to inject OS commands.
  • Exploitation is unauthenticated; attacker first fetches /progs/homepage to harvest CSRF tokens (token, token2) before submitting the injection payload to the login endpoint.
  • Successful exploitation can be confirmed by observing both a 'Login Failed' alert in the response body AND evidence of outbound DNS/ICMP (e.g., ping -c 2) to an attacker-controlled OOB host.
  • Exposed LoadMaster management interfaces are discoverable via Shodan using the 'Kemp Login Screen' HTML fingerprint.
  • The vulnerability allows unauthenticated remote attackers to access LoadMaster's management interface using a specially crafted HTTP request to execute arbitrary system commands.
  • ·The emergency add-on patch does NOT apply to the free version of LoadMaster; CVE-2024-7591 remains unpatched on free-tier deployments.
  • ·Affected scope is broad: LoadMaster 7.2.40.0 and above, all ECS versions, and Multi-Tenancy 7.1.35.4 and above (up to and including MT Hypervisor 7.1.35.11).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.