CVE-2026-8037
CRITICALProgress ADC Products - Unauthenticated OS Command Injection
Title source: manualDescription
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
Scores
CVSS v3
9.6
EPSS
0.0083
EPSS Percentile
52.7%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (5)
Progress Software/ECS Connections Manager
V7.2.60.0 - V7.2.63.2
Progress Software/LoadMaster
V7.2.45.12 - V7.2.54.18
Progress Software/LoadMaster
V7.2.60.0 - V7.2.63.2
Progress Software/MOVEit WAF
V7.2.60.0 - V7.2.63.2
Progress Software/Object Scale Connection Manager
V7.2.60.0 - V7.2.63.2
Published
Jun 04, 2026
Tracked Since
Jun 04, 2026