CVE-2024-56133
Published: 05 February 2025
Summary
CVE-2024-56133 is a high-severity Improper Input Validation (CWE-20) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of information inputs to the system, comprehensively mitigating the improper input validation vulnerability enabling OS command injection.
Mandates timely identification, reporting, and correction of system flaws such as this CVE via patching affected LoadMaster versions.
Enforces restrictions on information inputs to the system, preventing malicious inputs from triggering OS command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vuln directly enables arbitrary Unix shell command execution (T1059.004) after exploiting the LoadMaster application (T1190).
NVD Description
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) From 7.2.49.0 to 7.2.54.12 (inclusive) 7.2.48.12 and all prior versions ECS All prior…
more
versions to 7.2.60.1 (inclusive)
Deeper analysisAI
CVE-2024-56133 is an improper input validation vulnerability in Progress LoadMaster that enables OS command injection by authenticated users. The issue affects LoadMaster versions from 7.2.55.0 to 7.2.60.1 inclusive, from 7.2.49.0 to 7.2.54.12 inclusive, and 7.2.48.12 and all prior versions. It also impacts ECS in all versions prior to 7.2.60.1 inclusive. The vulnerability is classified under CWE-20 and carries a CVSS v3.1 base score of 8.4.
Exploitation requires an authenticated user with high privileges (PR:H) operating from an adjacent network (AV:A), with low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with a changed scope (S:C), potentially allowing arbitrary OS command execution.
Progress has published a security advisory covering this and related vulnerabilities (CVE-2024-56131 through CVE-2024-56135) with mitigation guidance, available at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135.
Details
- CWE(s)