Skip to main content

Loadmaster CVE-2026-3517

| EUVDEUVD-2026-23856 HIGH
Command Injection (CWE-77)
2026-04-20 ProgressSoftware GHSA-rw4j-jhfh-fr2h
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 14:32 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 14:15 euvd
EUVD-2026-23856
Analysis Generated
Apr 20, 2026 - 14:15 vuln.today
CVE Published
Apr 20, 2026 - 13:22 nvd
HIGH 8.4

DescriptionCVE.org

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command

AnalysisAI

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

Technical ContextAI

This vulnerability stems from CWE-77 (OS Command Injection) in the API layer of Progress's Application Delivery Controller product family. The 'addcountry' command within the Geo Administration feature fails to sanitize user-supplied input before passing it to underlying system command execution functions. LoadMaster and its related connection management platforms (ECS, Object Scale, MOVEit WAF) share common API codebases for geolocation-based traffic management features. The affected CPE strings indicate the vulnerability spans multiple Progress ADC products: LoadMaster (core product), ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. All are network appliances that handle load balancing, web application firewall, and connection management functions, typically deployed at network perimeters or in DMZ configurations. The command injection occurs server-side in the management plane rather than the data plane, meaning it affects administrative functions rather than traffic processing.

RemediationAI

Upgrade all affected products to version 7.2.63.0 or later as documented in Progress Security Advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. For LoadMaster, upgrade from any 7.1.32.0-7.2.62.0 version to 7.2.63.0. For ECS Connections Manager, upgrade from 7.2.49.0-7.2.62.0 to 7.2.63.0. For MOVEit WAF and Object Scale Connection Manager, upgrade from 7.2.62.0 or earlier to 7.2.63.0. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Revoke or strictly audit all 'Geo Administration' role assignments, limiting this permission to only essential personnel with MFA enforcement (reduces administrative flexibility for geolocation features), (2) Implement network segmentation to isolate LoadMaster management interfaces from adjacent networks using firewall rules permitting access only from dedicated management VLANs (increases operational complexity for remote administration), (3) Enable comprehensive API audit logging and monitor for 'addcountry' command invocations with anomalous parameters (detective rather than preventive control, requires active SIEM monitoring). Note that disabling Geo Administration features entirely may impact geolocation-based traffic steering capabilities if those features are in production use.

CVE-2024-1212 CRITICAL POC
9.8 Feb 21

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s

CVE-2026-8037 CRITICAL POC
9.8 Jun 04

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S

CVE-2024-7591 HIGH POC
7.2 Sep 05

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas

CVE-2024-8755 CRITICAL
9.8 Oct 11

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This

CVE-2024-2448 HIGH
8.8 Mar 22

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2026-4048 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm

CVE-2026-3519 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow

CVE-2026-3518 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP

CVE-2024-56135 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2024-56131 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2025-13447 HIGH
8.4 Jan 13

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker

CVE-2024-56132 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

Share

CVE-2026-3517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy