CVE-2024-56132

CVE-2024-56132 is an Improper Input Validation vulnerability in Progress LoadMaster that enables OS Command Injection by authenticated users. The affected components include LoadMaster versions from 7.2.55.0 to 7.2.60.1 (inclusive), from 7.2.49.0 to 7.2.54.12 (inclusive), and 7.2.48.12 and all prior versions. ECS is also impacted in all versions prior to 7.2.60.1 (inclusive). The vulnerability is associated with CWE-20 (Improper Input Validation) and CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires an authenticated user with high privileges (PR:H) on an adjacent network (AV:A). With low attack complexity and no user interaction needed, a successful exploit allows arbitrary OS command injection, resulting in high impacts to confidentiality, integrity, and availability, along with a scope change due to elevated privileges.

Progress has published a security advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135 addressing CVE-2024-56132 alongside related vulnerabilities.