Skip to main content

Object Scale Connection Manager

5 CVEs product

Monthly

CVE-2026-8037 CRITICAL POC Act Now

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

RCE Command Injection Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-4048 HIGH This Week

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

File Upload Command Injection RCE Loadmaster Ecs Connections Manager +2
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-3519 HIGH This Week

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-3518 HIGH This Week

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-3517 HIGH This Week

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

Command Injection RCE Loadmaster Ecs Connections Manager Object Scale Connection Manager +1
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated OS command injection in the API of Progress ADC products - LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF - allows remote attackers to execute arbitrary commands on the appliance by supplying unsanitized input to multiple command endpoints. The flaw carries a CVSS of 9.8 (pre-auth, network-reachable) and publicly available exploit code exists (a GitHub PoC and watchTowr Labs write-up), though EPSS remains low at 0.30% and CISA SSVC currently rates exploitation status as 'none'. Fixed builds (7.2.63.2 and 7.2.54.18) are available from Progress.

RCE Command Injection Loadmaster +3
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

OS command injection in Progress LoadMaster and related ADC products allows authenticated administrators with 'All' permissions to execute arbitrary commands via malicious WAF rule file uploads. The attacker exploits unsanitized input during the file upload process in the web UI. With CVSS 8.4 and scope change to 'Changed', successful exploitation enables complete system compromise beyond the vulnerable component. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis. EPSS data not available for risk assessment.

File Upload Command Injection RCE +4
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Command injection in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF allows authenticated administrators with 'VS Administration' privileges to execute arbitrary operating system commands on the appliance via unsanitized input to the 'aclcontrol' API command. CVSS 8.4 reflects high-privilege requirement but scope change indicates container escape or cross-boundary impact. EPSS data not provided. No public exploit identified at time of analysis. Vendor-released patch: version 7.2.63.0 for all affected products per Progress advisory.

Command Injection RCE Loadmaster +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

OS command injection in Progress LoadMaster, MOVEit WAF, ECS Connections Manager, and Object Scale Connection Manager API allows authenticated attackers with 'All' permissions to execute arbitrary commands on appliances via unsanitized input in the 'killsession' API endpoint. CVSS 8.4 (High) reflects adjacent network access vector and high privileges requirement, limiting exploitation to administrators or compromised admin accounts. CISA SSVC assessment indicates no active exploitation, non-automatable attack, but total technical impact. EPSS data not provided, but privilege requirements significantly reduce real-world attack surface compared to unauthenticated RCE vulnerabilities.

Command Injection RCE Loadmaster +3
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Command injection in Progress LoadMaster and related ADC products allows authenticated attackers with Geo Administration permissions to execute arbitrary OS commands on appliances via the unsanitized 'addcountry' API parameter. Affects LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager versions prior to 7.2.63.0. EPSS data unavailable; not listed in CISA KEV. CVSS 8.4 reflects high impact (complete system compromise) but requires adjacent network access and high-privilege authentication, significantly constraining real-world exploitation scenarios. Vendor has released patches addressing all affected products.

Command Injection RCE Loadmaster +3
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy