CVE-2024-1212

What is Progress Kemp LoadMaster?

Progress Kemp LoadMaster is an application delivery controller (ADC) and load balancer deployed by enterprises, government agencies, and managed service providers to distribute traffic across web applications, APIs, and internal services. LoadMaster provides SSL offloading, global server load balancing, WAF capabilities, and high-availability failover — making it a critical piece of infrastructure that sits in front of production applications. The LoadMaster management interface is accessible over HTTPS and is the target of this vulnerability; organizations that expose this interface to the internet face unauthenticated remote code execution risk.

Overview

CVE-2024-1212 is an unauthenticated OS command injection vulnerability in the Progress Kemp LoadMaster management interface that carries a maximum CVSS score of 10.0 — one of the highest possible ratings. An unauthenticated remote attacker who can reach the LoadMaster management interface can inject and execute arbitrary OS commands with the privileges of the LoadMaster process. The vulnerability was published in February 2024 and added to the CISA KEV catalog in November 2024, indicating active exploitation in the wild against federal agency systems.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command / OS Command Injection). The LoadMaster management interface fails to adequately sanitize user-supplied input before passing it to shell commands. An unauthenticated attacker can craft a malicious HTTP request to the management API that injects shell metacharacters (;, |, backtick, $()) into a parameter that is subsequently executed by the OS. The CVSS scope is "Changed" (S:C), meaning successful exploitation can affect components beyond the LoadMaster process itself — reflecting that a fully compromised load balancer has visibility into all traffic it proxies.

The zero-privilege, zero-interaction nature of this vulnerability (PR:N, UI:N) makes it trivially exploitable at scale: an attacker with network access to the management port can achieve remote code execution without any credentials or user interaction.

Discovery

Reported to Progress Software. The vulnerability was disclosed and patched in February 2024 but not added to the CISA KEV catalog until November 2024, a nine-month gap that suggests exploitation began after initial publication when threat actors discovered unpatched deployments.

Exploitation Context

Active exploitation prompted CISA's November 18, 2024 KEV addition and the corresponding 21-day federal remediation deadline. Load balancers and ADCs are high-value targets: a compromised LoadMaster sits in front of production traffic and can be used to intercept sessions, inject malicious responses, or pivot into backend application servers. Organizations that expose the LoadMaster management interface to the internet — rather than restricting it to a management network — are most at risk.

Remediation

1. Upgrade LoadMaster to LMOS 7.2.59.2, 7.2.54.8, or 7.2.48.10 (whichever branch is in use), or any later version.
2. Immediately restrict access to the LoadMaster management interface — it should never be internet-accessible. Limit access to a dedicated management VLAN or VPN.
3. Review LoadMaster access logs for unexpected API calls, unusual command patterns, or connections from unauthorized source IPs prior to patching.
4. After patching, rotate all credentials stored in or accessible through the LoadMaster configuration.
5. Check whether LoadMaster is used as a WAF — compromised WAF rules may have been altered to pass through attacks that would otherwise be blocked.