Cyber Posture

CVE-2024-56135

High

Published: 05 February 2025

Published
05 February 2025
Modified
31 July 2025
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0006 20.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56135 is a high-severity Improper Input Validation (CWE-20) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper input validation (CWE-20) root cause by requiring validation of all user inputs to block OS command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of flaws like this CVE through patching as advised by the vendor.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict high-privilege (PR:H) access needed for authenticated exploitation of the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

OS command injection vulnerability directly enables Unix shell command execution (T1059.004) after authentication; also facilitates exploitation of the public-facing LoadMaster application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive) From 7.2.49.0 to 7.2.54.12 (inclusive) 7.2.48.12 and all prior versions ECS All prior…

more

versions to 7.2.60.1 (inclusive)

Deeper analysisAI

CVE-2024-56135 is an Improper Input Validation vulnerability (CWE-20) in Progress LoadMaster that enables OS Command Injection by authenticated users. The issue affects LoadMaster versions from 7.2.55.0 to 7.2.60.1 inclusive, from 7.2.49.0 to 7.2.54.12 inclusive, and 7.2.48.12 and all prior versions. It also impacts ECS in all versions prior to 7.2.60.1 inclusive.

Exploitation requires an attacker to have high privileges (PR:H) and adjacent network access (AV:A), with low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) across a changed scope (S:C), yielding a CVSS v3.1 base score of 8.4.

Mitigation details for CVE-2024-56135 and related vulnerabilities are provided in the Progress advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135.

Details

CWE(s)
CWE-20NVD-CWE-noinfo

Affected Products

progress
multi-tenant loadmaster
≤ 7.1.35.13
progress
loadmaster
≤ 7.2.48.12 · 7.2.49.0 — 7.2.54.13 · 7.2.55.0 — 7.2.61.0

CVEs Like This One

CVE-2024-56133Same product: Progress Loadmaster
CVE-2024-56131Same product: Progress Loadmaster
CVE-2024-56132Same product: Progress Loadmaster
CVE-2024-56134Same product: Progress Loadmaster
CVE-2025-1758Same product: Progress Loadmaster
CVE-2026-3518Same product: Progress Loadmaster
CVE-2026-4048Same product: Progress Loadmaster
CVE-2025-13447Same product: Progress Loadmaster
CVE-2025-13444Same product: Progress Loadmaster
CVE-2026-3519Same product: Progress Loadmaster

References