Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

ACSC releases critical alert over Progress Kemp LoadMaster vulnerability

A newly disclosed bug in Progress Kemp’s application delivery platform could allow the execution of unauthenticated commands.

user icon David Hollingworth
Fri, 23 Feb 2024
ACSC releases critical alert over Progress Kemp LoadMaster vulnerability
expand image

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has released a critical alert concerning a recently disclosed vulnerability in Progress Kemp’s LoadMaster, a cloud-based application delivery platform.

The flaw – officially CVE-2024-1212 – could allow a threat actor with access to LoadMaster’s management interface to issue a “carefully crafted API command”, in the words of Progress Kemp, that will allow the attacker to execute arbitrary system commands.

The vulnerability affects all releases of the LoadMaster platform after version 7.2.48.1, and Progress Kemp rates the bug as critical, with a CVSS score of 10.

============
============

The same flaw is present in Progress Kemp’s ECS Connection Manager Product as well.

Progress Kemp does have a number of patches for different versions of LoadMaster, however, as well as a guide to how to apply them. Users of the free version will, however, need to back up their configuration and deploy a new version of the platform, one without the vulnerability, and then apply the backed-up configuration.

The ACSC is recommending users of the platform follow Progress Kemp’s mitigation advice.

Progress Kemp has also changed its password policy.

“In line with this announcement, we have updated our password policy,” Progress Kemp said in its advisory. “Please read the guidelines and reset your password. We are also strongly recommending that customers follow our security hardening guidelines.”

Thankfully, the ACSC has not had any reports of the vulnerability being exploited in the wild.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.