DIVD-2024-00010 - Unauthenticated Command Injection In Progress Kemp LoadMaster
| Our reference | DIVD-2024-00010 |
| Case lead | Alwin Warringa |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Apply the provided security patch as soon as possible |
| Patch status | Released |
| Status | Closed |
| Last modified | 23 Apr 2024 10:02 CEST |
Summary
A critical security issue was recently identified in Kemp LoadMaster. It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication.
Recommendations
Progress advises users to install the security patch as soon as possible. See the references for the download links.
What we are doing
DIVD is currently working to identify vulnerable instances and notify the owners of these systems.
Timeline
| Date | Description |
|---|---|
| 20 Mar 2024 | DIVD starts researching this vulnerability. |
| 20 Mar 2024 | DIVD found a good fingerprint method |
| 22 Mar 2024 | Case opened, first version of this casefile |
| 22 Mar 2024 | DIVD starts scanning the internet for vulnerable instances. |
| 23 Mar 2024 | DIVD starts notifying network owners with a vulnerable instance in their network. |
| 23 Apr 2024 | Second round of notifications sent |
| 23 Apr 2024 | Case closed. |
gantt
title DIVD-2024-00010 - Unauthenticated Command Injection In Progress Kemp LoadMaster
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00010 - Unauthenticated Command Injection In Progress Kemp LoadMaster (34 days) :2024-03-20, 2024-04-23
section Events
DIVD starts researching this vulnerability. : milestone, 2024-03-20, 0d
DIVD found a good fingerprint method : milestone, 2024-03-20, 0d
Case opened, first version of this casefile : milestone, 2024-03-22, 0d
DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-03-22, 0d
DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-03-23, 0d
Second round of notifications sent : milestone, 2024-04-23, 0d
Case closed. : milestone, 2024-04-23, 0d