Pierluigi Paganini
February 11, 2025
Progress Software has addressed multiple high-severity security vulnerabilities (CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135) in its LoadMaster software.
Progress Software’s LoadMaster is a high-performance load balancer and application delivery controller (ADC) designed to optimize the availability, security, and performance of web applications and services. It helps distribute network traffic efficiently across multiple servers to ensure reliability and scalability.
Below are the descriptions of these vulnerabilities:
Once a remote attacker gained access to the management interface of LoadMaster and successfully authenticated could execute arbitrary system commands by using specially crafted HTTP requests.
The last high-severity flaw addressed by Progress, tracked as
The vulnerabilities impact the following versions:
| Product | Affected Versions | Patched Versions | Release Date |
| LoadMaster | From 7.2.55.0 to 7.2.60.1 (inclusive) | 7.2.61.0 (GA) XML validation file | 5 Feb 2025 |
| From 7.2.49.0 to 7.2.54.12 (inclusive) | 7.2.54.13 (LTSF) XML validation file | 5 Feb 2025 | |
| 7.2.48.12 and all prior versions | Upgrade to LTSF or GA | 5 Feb 2025 | |
| Multi-Tenant LoadMaster | 7.1.35.12 and all prior versions | 7.1.35.13 (GA) XML validation file | 5 Feb 2025 |
The company is not aware of attacks in the wild exploiting one of the above vulnerabilities.
In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2024-1212 Progress Kemp LoadMaster issue to its Known Exploited Vulnerabilities (KEV) catalog.
CVE-2024-1212 is a Progress Kemp LoadMaster OS command injection issue that unauthenticated remote attackers can exploit to execute arbitrary system commands, posing significant security risks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Progress LoadMaster)
