CVE-2024-56134
Published: 05 February 2025
Summary
CVE-2024-56134 is a high-severity Improper Input Validation (CWE-20) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user inputs to the system, preventing OS command injection from improper input validation in Progress LoadMaster.
Requires organizations to identify, report, and correct flaws like this improper input validation vulnerability through timely patching.
Enforces least privilege for authenticated high-privileged users, limiting the scope and impact of successful OS command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability directly enables arbitrary command execution via Unix shell on the appliance.
NVD Description
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) From 7.2.49.0 to 7.2.54.12 (inclusive) 7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.12…
more
and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)
Deeper analysisAI
CVE-2024-56134 is an Improper Input Validation vulnerability in Progress LoadMaster that allows authenticated users to perform OS Command Injection. The issue affects LoadMaster versions from 7.2.55.0 to 7.2.60.1 inclusive, from 7.2.49.0 to 7.2.54.12 inclusive, and 7.2.48.12 and all prior versions; Multi-Tenant Hypervisor versions 7.1.35.12 and all prior versions; and ECS all versions prior to 7.2.60.1 inclusive.
With a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), the vulnerability can be exploited by a high-privileged authenticated user on an adjacent network. Exploitation requires low complexity and no user interaction, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability while changing the scope of impact.
Mitigation details are provided in the Progress security advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135.
Details
- CWE(s)