Skip to main content

Loadmaster CVE-2026-3519

| EUVDEUVD-2026-23858 HIGH
Command Injection (CWE-77)
2026-04-20 ProgressSoftware GHSA-g4q4-3mm2-2w69
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 14:32 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 14:15 euvd
EUVD-2026-23858
Analysis Generated
Apr 20, 2026 - 14:15 vuln.today
CVE Published
Apr 20, 2026 - 13:32 nvd
HIGH 8.4

DescriptionCVE.org

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

AnalysisAI

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

Technical ContextAI

This vulnerability exploits CWE-77 (OS Command Injection) in the API layer of Progress Application Delivery Controller (ADC) products. The 'aclcontrol' command in the management API fails to sanitize user-supplied input before passing it to underlying operating system shell commands. The affected products-LoadMaster (load balancer), ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF-share a common API framework based on version 7.2.x codebase. CPE strings identify these as distinct Progress Software products but with overlapping version ranges, suggesting shared vulnerable code in the ADC platform. The 'VS Administration' permission level indicates elevated administrative access to virtual server configuration, not standard user privileges. The CVSS scope change (S:C) suggests the vulnerability allows breaking out of the intended API/web management context to execute commands at the underlying OS level, potentially impacting other services or containers on the appliance.

RemediationAI

Upgrade all affected Progress ADC products to version 7.2.63.0 or later per Progress advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. If immediate patching is not feasible, implement network segmentation to restrict management interface access to dedicated administrative VLANs with strict firewall rules limiting adjacency to only authorized jump hosts or PAM solutions (note: this reduces but does not eliminate risk from compromised admin workstations). Review and minimize assignment of 'VS Administration' permissions using principle of least privilege-audit which accounts possess this role and whether it's necessary for their function. Enable detailed API command logging to detect suspicious 'aclcontrol' usage patterns. Consider placing management interfaces behind multi-factor authentication if not already deployed. These mitigations reduce attack surface but do not address the underlying injection vulnerability; patching to 7.2.63.0 remains the definitive remediation.

CVE-2024-1212 CRITICAL POC
9.8 Feb 21

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s

CVE-2026-8037 CRITICAL POC
9.8 Jun 04

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S

CVE-2024-7591 HIGH POC
7.2 Sep 05

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas

CVE-2024-8755 CRITICAL
9.8 Oct 11

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This

CVE-2024-2448 HIGH
8.8 Mar 22

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2026-4048 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm

CVE-2026-3518 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP

CVE-2026-3517 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration

CVE-2024-56135 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2024-56131 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2025-13447 HIGH
8.4 Jan 13

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker

CVE-2024-56132 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

Share

CVE-2026-3519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy