Progress Software on Monday rolled out patches for multiple MOVEit WAF and LoadMaster vulnerabilities that could lead to remote code execution (RCE) and OS command injection.
Two of the bugs, CVE-2026-3517 and CVE-2026-3519, impact APIs in Progress ADC products and could be exploited by users with ‘Geo Administration’ and ‘VS Administration’ permissions for the execution of arbitrary commands on the LoadMaster appliance.
The flaws exist because the ‘addcountry’ and ‘aclcontrol’ commands do not properly sanitize user-supplied input.
Another issue, tracked as CVE-2026-3518, impacts an API in the ADC products’ LoadMaster and can be exploited by an authenticated attacker who has the ‘All’ permissions. It exists because the ‘killsession’ command allows unsanitized input.
The fourth security defect, CVE-2026-4048, impacts the UI in Progress ADC products. An authenticated attacker with the ‘All’ permissions can inject code in a custom WAF rule file, leading to command execution as the input is improperly sanitized during the file upload process.
On Monday, Progress also announced fixes for CVE-2026-21876, a firewall policy bypass issue in the rule set to flag non-standard character sets used in HTTP multipart request headers.
The flawed logic leads to character set validation being applied only to the last multipart content type header, even if the application iterates over all headers in the request.
“This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection,” Progress explains.
Successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances.
Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1.
The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible.
Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities
Related: Splunk Enterprise Update Patches Code Execution Vulnerability
Related: Cisco Patches Critical Vulnerabilities in Webex, ISE
Related: Two Vulnerabilities Patched in Ivanti Neurons for ITSM
