Skip to main content

Progress LoadMaster CVE-2026-8037

| EUVDEUVD-2026-34260 CRITICAL
Command Injection (CWE-77)
2026-06-04 ProgressSoftware GHSA-57pc-jm9r-hgj4
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Pre-auth command injection reachable over the network via the management API with no user interaction, granting full command execution, so AV:N/AC:L/PR:N/UI:N and C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 13, 2026 - 19:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 13, 2026 - 19:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 19:07 vuln.today
cvss_changed
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.6 (CRITICAL) 9.8 (CRITICAL)
Analysis Generated
Jun 04, 2026 - 14:15 vuln.today

DescriptionNVD

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

AnalysisAI

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

Technical ContextAI

The affected products are Progress ADC (Application Delivery Controller) appliances - most notably Kemp/Progress LoadMaster, a hardware/virtual load balancer and reverse proxy - plus the related ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF, which share the same management/API codebase. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command, i.e. command injection): the appliance's management API passes attacker-controlled input from multiple command endpoints into an underlying OS shell without adequate sanitization, so shell metacharacters are interpreted rather than treated as literal data. The watchTowr Labs analysis referenced by NVD characterizes the bug as an uninitialized-heap issue leading to pre-auth RCE, suggesting the injection may be reachable via a memory-state/parsing defect in the API front-end - worth verifying against the vendor bulletin. Affected CPEs are progress_software:loadmaster, ecs_connections_manager, object_scale_connection_manager, and moveit_waf.

RemediationAI

Vendor-released patch: upgrade LoadMaster and the related products to V7.2.63.2 (from the 7.2.60.0-7.2.63.2 branch) or to V7.2.54.18 (for LoadMaster on the 7.2.45.12-7.2.54.18 branch), per the Progress LoadMaster Critical Security Bulletin June 2026 (https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691). Because the vulnerability is in the management API, the primary compensating control until patching is to restrict network reachability of the API and administrative interface: place the management interface on an isolated/management VLAN and block API/admin ports from untrusted and internet-facing networks via ACLs or upstream firewall rules, accepting that legitimate remote administration must then originate from that trusted segment. Additionally restrict source IPs allowed to reach the affected command endpoints and monitor appliance logs for anomalous command-endpoint requests; note these are containment measures only and do not remediate the underlying injection, so patching remains mandatory.

CVE-2024-1212 CRITICAL POC
9.8 Feb 21

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary s

CVE-2024-7591 HIGH POC
7.2 Sep 05

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMas

CVE-2024-8755 CRITICAL
9.8 Oct 11

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This

CVE-2024-2448 HIGH
8.8 Mar 22

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2026-4048 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' perm

CVE-2026-3519 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allow

CVE-2026-3518 HIGH
8.4 Apr 20

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager AP

CVE-2026-3517 HIGH
8.4 Apr 20

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration

CVE-2024-56135 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2024-56131 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

CVE-2025-13447 HIGH
8.4 Jan 13

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker

CVE-2024-56132 HIGH
8.4 Feb 05

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rate

Share

CVE-2026-8037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy