Is Loadmaster affected by EUVD-2026-23858?

Progress LoadMaster and ADC products contain a high-severity command injection vulnerability (CVSS 8.4) affecting administrative API endpoints that allows authenticated users with VS Administration permissions to execute arbitrary operating system commands and achieve complete system compromise.

Loadmaster EUVD-2026-23858

| CVE-2026-3519 HIGH

Command Injection (CWE-77)

2026-04-20 ProgressSoftware

GHSA-g4q4-3mm2-2w69

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager Moveit Waf

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 20, 2026 - 14:32 vuln.today

DescriptionNVD

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

AnalysisAI

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. …

RemediationAI

Within 24 hours: Identify and inventory all affected Progress LoadMaster and ADC deployments; restrict network access to the 'aclcontrol' API endpoint to trusted administrative hosts only using firewall rules; audit administrative account access logs for the 'VS Administration' role. Within 7 days: Disable the 'aclcontrol' API endpoint if operationally feasible; enforce multi-factor authentication for all accounts with VS Administration permissions; conduct a security review of administrative access permissions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-23858 vulnerability details – vuln.today

Back

Loadmaster EUVD-2026-23858

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code