Progress Telerik and Loadmaster plug high-risk security vulnerabilities
The manufacturer has discovered high-risk vulnerabilities in Loadmaster and Telerik from Progress. Updates will fix them.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Progress warns of security vulnerabilities in the developer tools Telerik and the load balancer Loadmaster. In Telerik, attackers can spy out data from the communication of agent and host components, while in Loadmaster they can inject commands into the operating system.
Progress' security advisory for Telerik describes the vulnerability as "plaintext transmission of sensitive information" (CVE-2025-0556, CVSS 8.8, risk"high"). However, the manufacturer restricts that with the Report Server, when only the older .Net framework implementation is used, the communication of non-sensitive data between the service agent and app host runs via a non-encrypted tunnel. In the standard installation, both components are located on the same machine. However, as other types of installation are also possible, the risk assessment includes misuse from the network, which increases the risk.
Telerik: Updates are available
This does not occur when using the newer .Net implementation. The versions of Telerik 2024 Q4 (10.3.24.1218) and earlier are affected; the version 2025 Q1 (11.0.25.211) or newer fixes the underlying bug.
Videos by heise
In another security advisory, Progress discusses vulnerabilities in Loadmaster and the Loadmaster Multi-Tenant (MT) hypervisor. Attackers can abuse five different security leaks to inject arbitrary system commands after authentication at the management interface with carefully prepared HTTP requests that the operating system executes (CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56135; all CVSS 8.4, risk"high"). Another vulnerability allows the downloading of arbitrary files from the target system in this way (CVE-2024-56134, CVSS 8.4, high).
For Loadmaster 7.2.55.0 to 7.2.60.1, version 7.2.61.0 (GA) corrects the errors, for 7.2.49.0 to 7.2.54.12 version 7.2.54.13 (LTSF). Anyone using Loadmaster 7.2.48.12 or older should update to the current GA or LTSF version. For multi-tenant Loadmaster 7.1.35.12 and all previous versions, the update to version 7.1.35.13 (GA) is available.
IT managers should install the updates quickly. Around November last year, the US IT security authority CISA warned that security gaps in Loadmaster were being attacked on the Internet.
(dmk)
