CVE-2024-56131

CVE-2024-56131 is an improper input validation vulnerability in Progress LoadMaster that enables OS command injection by authenticated users. The vulnerability affects LoadMaster versions from 7.2.55.0 to 7.2.60.1 inclusive, from 7.2.49.0 to 7.2.54.12 inclusive, and 7.2.48.12 and all prior versions; Multi-Tenant Hypervisor versions 7.1.35.12 and all prior versions; and ECS all versions prior to 7.2.60.1 inclusive. It is associated with CWE-20 and carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires an attacker with high privileges (PR:H) who is authenticated and positioned on an adjacent network (AV:A). The attack has low complexity and requires no user interaction. Successful exploitation allows OS command injection, yielding high impacts on confidentiality, integrity, and availability with a changed scope (S:C).

Progress has published a security advisory covering CVE-2024-56131 along with related vulnerabilities CVE-2024-56132 through CVE-2024-56135, available at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135, which provides details on mitigations and patches.