Severity by source
AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
AnalysisAI
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.
Technical ContextAI
This vulnerability affects Progress Software's Application Delivery Controller (ADC) suite, specifically LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. The flaw is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning the application fails to sanitize user-controlled input before passing it to operating system command interpreters. The vulnerable code path exists in the WAF rule file upload functionality within the web management UI. When custom WAF rules are uploaded, the appliance processes the file contents without proper input validation, allowing shell metacharacters or command sequences to be interpreted by the underlying OS. The CVSS vector indicates Adjacent Network attack vector (AV:A), meaning the attacker must be on the same network segment as the management interface, though this is often achievable in enterprise environments through VPN access or internal network positioning.
RemediationAI
Apply security updates per Progress Software advisory at https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876. Exact patched versions are not specified in available data - consult the vendor advisory directly for release numbers and upgrade procedures. If immediate patching is not feasible, implement compensating controls: (1) Restrict access to the LoadMaster management interface to dedicated admin jump hosts or bastion servers on isolated VLANs, reducing the adjacent network attack surface. (2) Implement principle of least privilege by auditing administrator accounts and removing 'All' permissions where not strictly required, granting only specific functional permissions. (3) Enable detailed audit logging for all WAF rule file upload operations and monitor for anomalous file content patterns or unexpected command sequences. (4) If WAF custom rule uploads are not operationally required, disable this functionality through appliance hardening policies. Note that disabling custom WAF rules may impact security posture if legitimate custom rules are in production. (5) Deploy network segmentation to prevent lateral movement from ADC appliances to backend systems, limiting Changed Scope impact even if compromise occurs.
More in Loadmaster
View allUnauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s
Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object S
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This
An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Same weakness CWE-77 – Command Injection
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23859
GHSA-pwx9-99jm-fx95