CVE-2024-56132
Published: 05 February 2025
Summary
CVE-2024-56132 is a high-severity Improper Input Validation (CWE-20) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-56132 is an Improper Input Validation vulnerability in Progress LoadMaster that enables OS Command Injection by authenticated users. The affected components include LoadMaster versions from 7.2.55.0 to 7.2.60.1 (inclusive), from 7.2.49.0 to 7.2.54.12 (inclusive), and 7.2.48.12 and all prior versions. ECS is also impacted in all versions prior to 7.2.60.1 (inclusive). The vulnerability is associated with CWE-20 (Improper Input Validation) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Exploitation requires an authenticated user with high privileges (PR:H) on an adjacent network (AV:A). With low attack complexity and no user interaction needed, a successful exploit allows arbitrary OS command injection, resulting in high impacts to confidentiality, integrity, and availability, along with a scope change due to elevated privileges.
Progress has published a security advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135 addressing CVE-2024-56132 alongside related vulnerabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52985
Vulnerability details
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) From 7.2.49.0 to 7.2.54.12 (inclusive) 7.2.48.12 and all prior versions ECS All prior…
more
versions to 7.2.60.1 (inclusive)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability directly enables arbitrary command execution on the appliance (T1059.004 Unix Shell) and is exploitable via the public/adjacent-facing management interface (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the improper input validation vulnerability (CWE-20) that enables OS command injection by requiring comprehensive validation of all user inputs.
Addresses the specific flaw in Progress LoadMaster by requiring timely identification, reporting, and correction of vulnerabilities like CVE-2024-56132.
Reduces the attack surface by enforcing least privilege, limiting the number of high-privilege (PR:H) authenticated users able to exploit the vulnerability.