Severity by source
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
AnalysisAI
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.
Technical ContextAI
This vulnerability exploits CWE-77 (OS Command Injection) in the API layer of Progress Application Delivery Controller (ADC) products. The 'aclcontrol' command in the management API fails to sanitize user-supplied input before passing it to underlying operating system shell commands. The affected products-LoadMaster (load balancer), ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF-share a common API framework based on version 7.2.x codebase. CPE strings identify these as distinct Progress Software products but with overlapping version ranges, suggesting shared vulnerable code in the ADC platform. The 'VS Administration' permission level indicates elevated administrative access to virtual server configuration, not standard user privileges. The CVSS scope change (S:C) suggests the vulnerability allows breaking out of the intended API/web management context to execute commands at the underlying OS level, potentially impacting other services or containers on the appliance.
RemediationAI
Upgrade all affected Progress ADC products to version 7.2.63.0 or later per Progress advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. If immediate patching is not feasible, implement network segmentation to restrict management interface access to dedicated administrative VLANs with strict firewall rules limiting adjacency to only authorized jump hosts or PAM solutions (note: this reduces but does not eliminate risk from compromised admin workstations). Review and minimize assignment of 'VS Administration' permissions using principle of least privilege-audit which accounts possess this role and whether it's necessary for their function. Enable detailed API command logging to detect suspicious 'aclcontrol' usage patterns. Consider placing management interfaces behind multi-factor authentication if not already deployed. These mitigations reduce attack surface but do not address the underlying injection vulnerability; patching to 7.2.63.0 remains the definitive remediation.
More in Loadmaster
View allUnauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s
Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This
An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23858
GHSA-g4q4-3mm2-2w69