CVE-2026-3517

HIGH

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Title source: cna

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command

References (1)

[Vendor Advisory] https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876

Scores

CVSS v3 8.4

EPSS 0.0008

EPSS Percentile 23.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (4)

Progress Software/ECS Connections Manager 7.2.49.0 - V7.2.63.0

Progress Software/LoadMaster 7.1.32.0 - V7.2.63.0

Progress Software/MOVEit WAF 7.2.62.0 - V7.2.63.0

Progress Software/Object Scale Connection Manager 7.2.62.0 - V7.2.63.0

Published Apr 20, 2026

Tracked Since Apr 20, 2026