Progress Software has released security updates for a maximum-severity flaw in LoadMaster and Multi-Tenant (MT) hypervisor that could result in the execution of arbitrary operating system commands.
Tracked as CVE-2024-7591 (CVSS score: 10.0), the vulnerability has been described as an improper input validation bug that results in OS command injection.
"It is possible for unauthenticated, remote attackers who have access to the management interface of LoadMaster to issue a carefully crafted http request that will allow arbitrary system commands to be executed," the company said in an advisory last week.
"This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution."
The flaw affects the following versions -
- LoadMaster (7.2.60.0 and all prior versions)
- Multi-Tenant Hypervisor (7.1.35.11 and all prior versions)
Security researcher Florian Grunow has been credited with discovering and reporting the flaw. Progress said it has found no evidence of the vulnerability being exploited in the wild.
That said, it's recommended that users apply the latest fixes as soon as possible by downloading an add-on package. The update can be installed by navigating to System Configuration > System Administration > Update Software.
"We are encouraging all customers to upgrade their LoadMaster implementations as soon as possible to harden their environment," the company said. "We also strongly recommend that customers follow our security hardening guidelines."