Cyber Resilience

CVE-2024-2449

High

Published: 22 March 2024

Published
22 March 2024
Modified
10 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0332 87.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2449 is a high-severity CSRF (CWE-352) vulnerability in Progress Loadmaster. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A cross-site request forgery vulnerability tracked as CVE-2024-2449 affects LoadMaster, the load-balancing and application-delivery appliance from Progress Software (formerly Kemp Technologies). The flaw, assigned CWE-352, allows an attacker to craft a malicious third-party site that, when visited by an authenticated LoadMaster administrator, causes the administrator’s browser to issue unauthorized HTTP requests to the appliance.

An attacker who already knows the IP address or hostname of a target LoadMaster instance can exploit the issue by luring an authenticated administrator to the attacker-controlled page. Successful exploitation enables the attacker to perform arbitrary administrative actions on the LoadMaster appliance on behalf of the victim, with the CVSS 7.5 score reflecting high impact on confidentiality, integrity, and availability under the condition that the victim interacts with the malicious site.

Public advisories published by Progress and Kemp Technologies reference both CVE-2024-2449 and the related CVE-2024-2448; the EPSS score rose from a low baseline to a peak of 0.0640 on 2025-12-11 before receding to its current value of 0.0332, indicating a measurable increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site.…

more

In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
loadmaster
7.1.35.10, 7.2.48.10 · 7.2.49.0 — 7.2.54.9 · 7.2.55.0 — 7.2.59.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-352

Detects anomalous request patterns consistent with cross-site request forgery.

References