CVE-2024-7591
published 2024-09-05CVE-2024-7591: Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All…
PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
44.07%
98.6th percentile
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kemptechnologies | loadmaster | 7.2.40.0 – 7.2.60.0 | — |
| kemptechnologies | multi-tenant_hypervisor_firmware | >= 7.1.35.4 < 7.1.35.11 | 7.1.35.11 |
| progress | loadmaster | >= 7.2.40.0 < 7.2.60.1 | 7.2.60.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandpass=%01%78%78%78%78%78%78%78%27%3b%70%69%6e%67%20%2d%63%20%32%20<payload>%3b%65%63%68%6f%20%27%01↗
othershodan:html:"Kemp Login Screen"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/progs/status/login"; fast_pattern; http.request_body; content:"pass|3d|"; pcre:"/^[^\x26\s]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,insinuator.net/2024/11/vulnerability-disclosure-command-injection-in-kemp-loadmaster-load-balancer-cve-2024-7591; reference:cve,2024-7591; classtype:web-application-attack; sid:2062294; rev:1; metadata:affected_product Progress_Kemp_Loadmaster, attack_target Server, created_at 2025_05_13, cve CVE_2024_7591, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets POST /progs/status/login with a crafted 'pass' parameter containing shell metacharacters (semicolons, backticks, pipes, dollar signs) or their URL-encoded equivalents to inject OS commands.
- →Exploitation is unauthenticated; attacker first fetches /progs/homepage to harvest CSRF tokens (token, token2) before submitting the injection payload to the login endpoint.
- →Successful exploitation can be confirmed by observing both a 'Login Failed' alert in the response body AND evidence of outbound DNS/ICMP (e.g., ping -c 2) to an attacker-controlled OOB host.
- →Exposed LoadMaster management interfaces are discoverable via Shodan using the 'Kemp Login Screen' HTML fingerprint.
- →The vulnerability allows unauthenticated remote attackers to access LoadMaster's management interface using a specially crafted HTTP request to execute arbitrary system commands.
- ·The emergency add-on patch does NOT apply to the free version of LoadMaster; CVE-2024-7591 remains unpatched on free-tier deployments.
- ·Affected scope is broad: LoadMaster 7.2.40.0 and above, all ECS versions, and Multi-Tenancy 7.1.35.4 and above (up to and including MT Hypervisor 7.1.35.11).
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591)
suricata·2025-05-13·CVSS 10.0
CVE-2024-7591 [CRITICAL] ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591)
ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-7591)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/progs/status/login"; fast_pattern; http.request_body; content:"pass|3d|"; pcre:"/^[^\x26\s]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,insinuator.net/2024/11/vulnerability-disclosure-command-injection-in-kemp-loadmaster-load-balancer-cve-2024-7591; reference:cve,2024-7591; classtype:web-application-attack; sid:2062294; rev:1; metadata:affected_product Progress_Kemp_Loadmaster, attack_target Server, created_at 2025_05_13, cve CVE_2024_7591, depl
Nuclei
Kemp LoadMaster Load Balancer - Unauthenticated Command Injection
nuclei·CVSS 7.2
CVE-2024-7591 [HIGH] Kemp LoadMaster Load Balancer - Unauthenticated Command Injection
Kemp LoadMaster Load Balancer - Unauthenticated Command Injection
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: LoadMaster: 7.2.40.0 and above. ECS: All versions.Multi-Tenancy: 7.1.35.4 and above.
Template:
id: CVE-2024-7591
info:
name: Kemp LoadMaster Load Balancer - Unauthenticated Command Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: LoadMaster: 7.2.40.0 and above. ECS: All versions.Multi-Tenancy: 7.1.35.4 and above.
impact: |
Unauthenticated attackers can execute arbitrary OS commands on the LoadMaster load balancer through command injection, achieving complete system com
Bleepingcomputer
CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
blogs_bleepingcomputer·2024-11-19·CVSS 9.3
CVE-2024-1212 [CRITICAL] CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## CISA tags Progress Kemp LoadMaster flaw as exploited in attacks
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three new flaws in its Known Exploited Vulnerabilities (KEV) catalog, including a critical OS command injection impacting Progress Kemp LoadMaster.
The flaw, discovered by Rhino Security Labs and tracked as CVE-2024-1212, was addressed via an update released on February 21, 2024 . However, this is the first report of it being under active exploitation in the wild.
“Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution,” reads the flaw’s description .
CVE-2024-
Wiz
Crying Out Cloud - October 2024 Newsletter | Wiz
blogs_wiz·2024-10-01·CVSS 9.0
CVE-2024-0132 [CRITICAL] Crying Out Cloud - October 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks!
## 🔍 Highlights
Critical Vulnerability in NVIDIA Container Toolkit
Wiz Research uncovered a critical vulnerability, CVE-2024-0132, in the widely used NVIDIA Container Toolkit. The vulnerability allows attackers with control over a container image to escape the container and gain full access to the underlying host. It is strongly recommended to update the affected package to the latest version 1.16.2, while focusing on container hosts that might run untrusted container images.
According to Wiz data, 33% of cloud environments are impacted by CVE-2024-0132.
Learn more in our blog .
## 🐞 High Profile Vulnerab
Bleepingcomputer
Progress LoadMaster vulnerable to 10/10 severity RCE flaw
blogs_bleepingcomputer·2024-09-08·CVSS 10.0
CVE-2024-7591 [CRITICAL] Progress LoadMaster vulnerable to 10/10 severity RCE flaw
## Progress LoadMaster vulnerable to 10/10 severity RCE flaw
## Bill Toulas
Progress Software has issued an emergency fix for a maximum (10/10) severity vulnerability impacting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products that allows attackers to remotely execute commands on the device.
The flaw, tracked as CVE-2024-7591 , is categorized as an improper input validation problem allowing an unauthenticated, remote attacker to access LoadMaster’s management interface using a specially crafted HTTP request.
However, the lack of user input sanitization could also allow the attacker to execute arbitrary system commands on vulnerable endpoints.
"It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a car
2024-09-05
Published