CVE-2024-56135

High

Published: 05 February 2025

Published

05 February 2025

Modified

31 July 2025

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0006 19.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. This issue affects:  Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1 (inclusive)   From 7.2.49.0 to 7.2.54.12 (inclusive)   7.2.48.12 and all prior versions ECS All prior versions to 7.2.60.1 (inclusive)

Security Summary

CVE-2024-56135 is an Improper Input Validation vulnerability (CWE-20) in Progress LoadMaster that enables OS Command Injection by authenticated users. The issue affects LoadMaster versions from 7.2.55.0 to 7.2.60.1 inclusive, from 7.2.49.0 to 7.2.54.12 inclusive, and 7.2.48.12 and all prior versions. It also impacts ECS in all versions prior to 7.2.60.1 inclusive.

Exploitation requires an attacker to have high privileges (PR:H) and adjacent network access (AV:A), with low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) across a changed scope (S:C), yielding a CVSS v3.1 base score of 8.4.

Mitigation details for CVE-2024-56135 and related vulnerabilities are provided in the Progress advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135.

Details

CWE(s): CWE-20NVD-CWE-noinfo

Affected Products

progress

multi-tenant loadmaster

≤ 7.1.35.13

progress

loadmaster

≤ 7.2.48.12 · 7.2.49.0 — 7.2.54.13 · 7.2.55.0 — 7.2.61.0

References

https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE-2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135
Vendor Advisory · security@progress.com