Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Pre-auth command injection reachable over the network via the management API with no user interaction, granting full command execution, so AV:N/AC:L/PR:N/UI:N and C/I/A all High.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Articles & Coverage 2
AnalysisAI
Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.
Technical ContextAI
The affected products are Progress ADC (Application Delivery Controller) appliances - most notably Kemp/Progress LoadMaster, a hardware/virtual load balancer and reverse proxy - plus the related ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF, which share the same management/API codebase. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command, i.e. command injection): the appliance's management API passes attacker-controlled input from multiple command endpoints into an underlying OS shell without adequate sanitization, so shell metacharacters are interpreted rather than treated as literal data. The watchTowr Labs analysis referenced by NVD characterizes the bug as an uninitialized-heap issue leading to pre-auth RCE, suggesting the injection may be reachable via a memory-state/parsing defect in the API front-end - worth verifying against the vendor bulletin. Affected CPEs are progress_software:loadmaster, ecs_connections_manager, object_scale_connection_manager, and moveit_waf.
RemediationAI
Vendor-released patch: upgrade LoadMaster and the related products to V7.2.63.2 (from the 7.2.60.0-7.2.63.2 branch) or to V7.2.54.18 (for LoadMaster on the 7.2.45.12-7.2.54.18 branch), per the Progress LoadMaster Critical Security Bulletin June 2026 (https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691). Because the vulnerability is in the management API, the primary compensating control until patching is to restrict network reachability of the API and administrative interface: place the management interface on an isolated/management VLAN and block API/admin ports from untrusted and internet-facing networks via ACLs or upstream firewall rules, accepting that legitimate remote administration must then originate from that trusted segment. Additionally restrict source IPs allowed to reach the affected command endpoints and monitor appliance logs for anomalous command-endpoint requests; note these are containment measures only and do not remediate the underlying injection, so patching remains mandatory.
More in Loadmaster
View allUnauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s
Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This
An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil
OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm
Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow
OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP
Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate
Same weakness CWE-77 – Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34260
GHSA-57pc-jm9r-hgj4