Skip to main content

Loadmaster CVE-2026-3518

| EUVDEUVD-2026-23857 HIGH
Command Injection (CWE-77)
2026-04-20 ProgressSoftware GHSA-wvwg-7g9q-g3v4
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 14:32 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 14:15 euvd
EUVD-2026-23857
Analysis Generated
Apr 20, 2026 - 14:15 vuln.today
CVE Published
Apr 20, 2026 - 13:29 nvd
HIGH 8.4

DescriptionCVE.org

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

AnalysisAI

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

Technical ContextAI

This vulnerability exploits CWE-77 (Improper Neutralization of Special Elements used in a Command) in the API layer of Progress Application Delivery Controller (ADC) products. The affected CPE strings identify four distinct Progress products sharing common API code: LoadMaster load balancer, MOVEit WAF (web application firewall), ECS Connections Manager (Dell EMC ECS storage gateway), and Object Scale Connection Manager (object storage gateway). The 'killsession' API command fails to sanitize user-supplied input before passing it to underlying OS shell execution functions. All products share the same vulnerable API codebase in versions 7.2.x prior to 7.2.63.0, with LoadMaster vulnerable from 7.2.37.0 and other products from later 7.2.x versions. The adjacent network attack vector (AV:A) suggests exploitation requires Layer 2 network access or compromised VPN/internal network position, not internet-wide exposure.

RemediationAI

Upgrade all affected Progress ADC products to version 7.2.63.0 or later, which contains vendor-released patches addressing the command injection vulnerability in the killsession API endpoint per Progress advisory EUVD-2026-23857. Download patches from Progress Community portal at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. If immediate patching is not feasible, implement compensating controls: restrict 'All' permission accounts to absolute minimum required administrators with multi-factor authentication enforced; audit all accounts with elevated permissions and revoke unnecessary access; enable detailed API audit logging to detect killsession command usage with suspicious parameters; implement network segmentation to limit adjacent network access to ADC management interfaces (restrict Layer 2 broadcast domains and disable management interface access from untrusted VLANs); deploy intrusion detection signatures monitoring for shell metacharacters in API POST requests to killsession endpoints. Note that restricting API access may impact legitimate automation workflows using privileged accounts-coordinate with application teams before implementing access controls. Compensating controls reduce but do not eliminate risk since legitimate admin access remains necessary for operations.

CVE-2024-1212 CRITICAL POC
9.8 Feb 21

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s

CVE-2026-8037 CRITICAL POC
9.8 Jun 04

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S

CVE-2024-7591 HIGH POC
7.2 Sep 05

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas

CVE-2024-8755 CRITICAL
9.8 Oct 11

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This

CVE-2024-2448 HIGH
8.8 Mar 22

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2026-4048 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm

CVE-2026-3519 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow

CVE-2026-3517 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration

CVE-2024-56135 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2024-56131 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2025-13447 HIGH
8.4 Jan 13

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker

CVE-2024-56132 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

Share

CVE-2026-3518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy