This vulnerability, discovered by a security researcher, allowed attackers to execute arbitrary code on vulnerable LoadMaster instances. This flaw was present in the Progress Software LoadMaster, a high-performance load balancer used by many organizations. The vulnerability was discovered by a security researcher who identified a flaw in the LoadMaster’s configuration management system. This flaw allowed attackers to exploit the system and gain unauthorized access to the LoadMaster instance.

The critical vulnerability is classified as a remote code execution flaw and has a maximum-severity score of 10.0 on the CVSS scale. It could allow unauthenticated remote attackers to execute arbitrary system commands by sending specially crafted HTTP requests. Progress Software was at the center of a Memorial Day 2023 mass hacking incident that started when the cybercriminal group exploited a zero-day vulnerability in the Massachusetts’ company MOVEit file transfer software. The surprise cyberattack by last count affected 2,773 organizations. The attack formed part of a cascade of incidents involving edge devices such as those made by Progress (see: Surge in Attacks Against Edge and Infrastructure Devices).

This means that an attacker could potentially exploit the LoadMaster’s ability to handle HTTP requests and manipulate the system’s behavior. The vulnerability is classified as a critical security flaw, meaning it poses a significant risk to the security of the LoadMaster system. This risk is amplified by the fact that the vulnerability is publicly known, meaning that attackers could potentially exploit it.