The U.S. Cybersecurity & Infrastructure Safety Company (CISA) has added three new flaws in its Recognized Exploited Vulnerabilities (KEV) catalog, together with a essential OS command injection impacting Progress Kemp LoadMaster.
The flaw, found by Rhino Safety Labs and tracked as CVE-2024-1212, was addressed by way of an replace launched on February 21, 2024. Nevertheless, that is the primary report of it being below energetic exploitation within the wild.
“Progress Kemp LoadMaster incorporates an OS command injection vulnerability that permits an unauthenticated, distant attacker to entry the system by means of the LoadMaster administration interface, enabling arbitrary system command execution,” reads the flaw’s description.
CVE-2024-1212 (CVSS v3.1 rating: 10.0, “essential”) impacts LoadMaster variations 7.2.48.1 earlier than 7.2.48.10, 7.2.54.0 earlier than 7.2.54.8, and seven.2.55.0 earlier than 7.2.59.2.
LoadMaster is an utility supply controller (ADC) and load-balancing resolution utilized by massive organizations to optimize app efficiency, handle community visitors, and guarantee excessive service availability.
CISA orders federal organizations utilizing the product to use the accessible updates and mitigations till December 9, 2024, or cease utilizing it.
No particulars concerning the energetic exploitation exercise have been revealed right now, and the standing of its exploitation in ransomware campaigns is marked as unknown.
The opposite two flaws CISA added to KEV are CVE-2024-0012 and CVE-2024-9474, authentication bypass and OS command injection flaws respectively, impacting Palo Alto Networks PAN-OS Administration Interface.
Progress Software program not too long ago mounted one other max severity flaw in LoadMaster merchandise that permits distant attackers to execute arbitrary instructions on the machine.
Recognized as CVE-2024-7591, the flaw is categorized as an improper enter validation downside permitting an unauthenticated, distant attacker to entry LoadMaster’s administration interface utilizing a specifically crafted HTTP request.
CVE-2024-7591 impacts LoadMaster model 7.2.60.0 and all earlier variations, in addition to MT Hypervisor model 7.1.35.11 and all prior releases.
That stated, system directors trying to improve to a protected model ought to transfer to a launch that addresses each most severity flaws in LoadMaster, even when energetic exploitation for CVE-2024-7591 has not been noticed but.
