Progress Software Issues Patch for Critical Vulnerability in LoadMaster and MT Hypervisor

Progress Software has released a critical patch to address a maximum-severity vulnerability (CVE-2024-7591) affecting its LoadMaster and Multi-Tenant (MT) Hypervisor products. The flaw, which carries a CVSS score of 10.0, could allow unauthenticated, remote attackers to execute arbitrary system commands by exploiting improper input validation in the management interface.

Details of CVE-2024-7591: OS Command Injection Vulnerability

The vulnerability stems from improper input validation, enabling attackers to send specially crafted HTTP requests that could trigger the execution of arbitrary operating system commands on affected systems. Progress Software’s advisory explains that unauthenticated attackers with access to the management interface of LoadMaster could exploit this flaw to compromise the system.

Affected Versions:

• LoadMaster: Versions 7.2.60.0 and earlier.
• Multi-Tenant Hypervisor: Versions 7.1.35.11 and earlier.

Patch and Recommendations

Progress Software has urged all users to immediately update their systems to the latest versions by downloading and installing the provided patch. The fix can be applied through the System Configuration > System Administration > Update Software menu in the product’s interface.

Additionally, Progress Software strongly recommends that users follow their security hardening guidelines to further protect their environments.

No Active Exploitation Detected

While security researcher Florian Grunow, who discovered the flaw, has been credited with reporting it, Progress Software has confirmed that there is currently no evidence of active exploitation in the wild. However, given the critical nature of the vulnerability, applying the patch as soon as possible is crucial to prevent potential future attacks.

By addressing CVE-2024-7591, Progress Software is taking important steps to secure its products and mitigate the risks associated with this OS command injection vulnerability.