Severity by source
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
AnalysisAI
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.
Technical ContextAI
This vulnerability exploits CWE-77 (Improper Neutralization of Special Elements used in a Command) in the API layer of Progress Application Delivery Controller (ADC) products. The affected CPE strings identify four distinct Progress products sharing common API code: LoadMaster load balancer, MOVEit WAF (web application firewall), ECS Connections Manager (Dell EMC ECS storage gateway), and Object Scale Connection Manager (object storage gateway). The 'killsession' API command fails to sanitize user-supplied input before passing it to underlying OS shell execution functions. All products share the same vulnerable API codebase in versions 7.2.x prior to 7.2.63.0, with LoadMaster vulnerable from 7.2.37.0 and other products from later 7.2.x versions. The adjacent network attack vector (AV:A) suggests exploitation requires Layer 2 network access or compromised VPN/internal network position, not internet-wide exposure.
RemediationAI
Upgrade all affected Progress ADC products to version 7.2.63.0 or later, which contains vendor-released patches addressing the command injection vulnerability in the killsession API endpoint per Progress advisory EUVD-2026-23857. Download patches from Progress Community portal at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. If immediate patching is not feasible, implement compensating controls: restrict 'All' permission accounts to absolute minimum required administrators with multi-factor authentication enforced; audit all accounts with elevated permissions and revoke unnecessary access; enable detailed API audit logging to detect killsession command usage with suspicious parameters; implement network segmentation to limit adjacent network access to ADC management interfaces (restrict Layer 2 broadcast domains and disable management interface access from untrusted VLANs); deploy intrusion detection signatures monitoring for shell metacharacters in API POST requests to killsession endpoints. Note that restricting API access may impact legitimate automation workflows using privileged accounts-coordinate with application teams before implementing access controls. Compensating controls reduce but do not eliminate risk since legitimate admin access remains necessary for operations.
More in Loadmaster
View allUnauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s
Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This
An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23857
GHSA-wvwg-7g9q-g3v4