Cyber Resilience

CVE-2024-2448

High

Published: 22 March 2024

Published
22 March 2024
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4475 97.7th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2448 is a high-severity OS Command Injection (CWE-78) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An OS command injection vulnerability tracked as CVE-2024-2448 has been identified in LoadMaster. The flaw, categorized under CWE-78, exists in a UI component that accepts and processes shell commands, enabling injection by users who interact with the interface.

An authenticated UI user holding any permission level can exploit the issue over an adjacent network to inject and execute arbitrary operating-system commands. The vulnerability carries a CVSS 3.1 score of 8.4 and yields high impact to confidentiality, integrity, and availability with a changed scope, allowing an attacker to compromise the underlying system.

Public advisories published by Progress and Kemp Technologies address LoadMaster security vulnerabilities CVE-2024-2448 and CVE-2024-2449 and outline mitigation guidance for affected installations. The associated EPSS score has remained steady at 0.4475 with no material rise from a lower baseline.

EU & UK References

Vulnerability details

An OS command injection vulnerability has been identified in LoadMaster.  An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
loadmaster
7.1.35.10, 7.2.48.10 · 7.2.49.0 — 7.2.54.9 · 7.2.55.0 — 7.2.59.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References