Skip to main content

Loadmaster

21 CVEs product

Monthly

CVE-2026-8037 CRITICAL POC Act Now

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

RCE Command Injection Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-4048 HIGH This Week

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

File Upload Command Injection RCE Loadmaster Ecs Connections Manager +2
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-3519 HIGH This Week

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-3518 HIGH This Week

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-3517 HIGH This Week

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-13447 HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Multi Tenant Hypervisor Loadmaster Moveit Waf +1
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-13444 HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Ecs Connection Manager Moveit Waf Connection Manager For Objectscale +2
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-1758 MEDIUM This Month

Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-56135 HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2024-56134 HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2024-56133 HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2024-56132 HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2024-56131 HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
8.4
EPSS
0.1%
CVE-2024-8755 CRITICAL Act Now

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Loadmaster
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-6658 MEDIUM This Month

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
CVSS 3.1
6.8
EPSS
0.6%
CVE-2024-7591 HIGH POC PATCH THREAT This Week

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Command Injection Loadmaster Multi Tenant Hypervisor Firmware
NVD
CVSS 3.1
7.2
EPSS
44.1%
CVE-2024-3544 HIGH This Week

Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Loadmaster
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-3543 HIGH This Week

Use of reversible password encryption algorithm allows attackers to decrypt passwords. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Loadmaster
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-2449 HIGH This Week

A cross-site request forgery vulnerability has been identified in LoadMaster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

CSRF Loadmaster
NVD
CVSS 3.1
7.5
EPSS
12.9%
CVE-2024-2448 HIGH This Week

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Loadmaster
NVD
CVSS 3.1
8.8
EPSS
55.4%
CVE-2024-1212 CRITICAL POC KEV THREAT Emergency

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Loadmaster
NVD GitHub
CVSS 3.1
9.8
EPSS
95.4%
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

RCE Command Injection Loadmaster +3
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

File Upload Command Injection RCE +4
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

Command Injection RCE Loadmaster +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

Command Injection RCE Loadmaster +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

Command Injection RCE Loadmaster +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Multi Tenant Hypervisor +3
NVD
EPSS 0% CVSS 8.4
HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Ecs Connection Manager +4
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Multi Tenant Loadmaster +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows : OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Loadmaster
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Multi Tenant Loadmaster Loadmaster
NVD
EPSS 44% CVSS 7.2
HIGH POC PATCH THREAT This Week

Improper Input Validation vulnerability in Progress LoadMaster allows OS Command Injection.This issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Command Injection Loadmaster Multi Tenant Hypervisor Firmware
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Loadmaster
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Use of reversible password encryption algorithm allows attackers to decrypt passwords. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Loadmaster
NVD
EPSS 13% CVSS 7.5
HIGH This Week

A cross-site request forgery vulnerability has been identified in LoadMaster. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

CSRF Loadmaster
NVD
EPSS 55% CVSS 8.8
HIGH This Week

An OS command injection vulnerability has been identified in LoadMaster. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Loadmaster
NVD
EPSS 95% CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Loadmaster
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy