Severity by source
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command
AnalysisAI
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.
Technical ContextAI
This vulnerability stems from CWE-77 (OS Command Injection) in the API layer of Progress's Application Delivery Controller product family. The 'addcountry' command within the Geo Administration feature fails to sanitize user-supplied input before passing it to underlying system command execution functions. LoadMaster and its related connection management platforms (ECS, Object Scale, MOVEit WAF) share common API codebases for geolocation-based traffic management features. The affected CPE strings indicate the vulnerability spans multiple Progress ADC products: LoadMaster (core product), ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. All are network appliances that handle load balancing, web application firewall, and connection management functions, typically deployed at network perimeters or in DMZ configurations. The command injection occurs server-side in the management plane rather than the data plane, meaning it affects administrative functions rather than traffic processing.
RemediationAI
Upgrade all affected products to version 7.2.63.0 or later as documented in Progress Security Advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. For LoadMaster, upgrade from any 7.1.32.0-7.2.62.0 version to 7.2.63.0. For ECS Connections Manager, upgrade from 7.2.49.0-7.2.62.0 to 7.2.63.0. For MOVEit WAF and Object Scale Connection Manager, upgrade from 7.2.62.0 or earlier to 7.2.63.0. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Revoke or strictly audit all 'Geo Administration' role assignments, limiting this permission to only essential personnel with MFA enforcement (reduces administrative flexibility for geolocation features), (2) Implement network segmentation to isolate LoadMaster management interfaces from adjacent networks using firewall rules permitting access only from dedicated management VLANs (increases operational complexity for remote administration), (3) Enable comprehensive API audit logging and monitor for 'addcountry' command invocations with anomalous parameters (detective rather than preventive control, requires active SIEM monitoring). Note that disabling Geo Administration features entirely may impact geolocation-based traffic steering capabilities if those features are in production use.
More in Loadmaster
View allUnauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s
Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This
An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23856
GHSA-rw4j-jhfh-fr2h