CVE-2024-2449
Published: 22 March 2024
Summary
CVE-2024-2449 is a high-severity CSRF (CWE-352) vulnerability in Progress Loadmaster. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A cross-site request forgery vulnerability tracked as CVE-2024-2449 affects LoadMaster, the load-balancing and application-delivery appliance from Progress Software (formerly Kemp Technologies). The flaw, assigned CWE-352, allows an attacker to craft a malicious third-party site that, when visited by an authenticated LoadMaster administrator, causes the administrator’s browser to issue unauthorized HTTP requests to the appliance.
An attacker who already knows the IP address or hostname of a target LoadMaster instance can exploit the issue by luring an authenticated administrator to the attacker-controlled page. Successful exploitation enables the attacker to perform arbitrary administrative actions on the LoadMaster appliance on behalf of the victim, with the CVSS 7.5 score reflecting high impact on confidentiality, integrity, and availability under the condition that the victim interacts with the malicious site.
Public advisories published by Progress and Kemp Technologies reference both CVE-2024-2449 and the related CVE-2024-2448; the EPSS score rose from a low baseline to a peak of 0.0640 on 2025-12-11 before receding to its current value of 0.0332, indicating a measurable increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27398
Vulnerability details
A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site.…
more
In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.