Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command
Published: 2026-04-20
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Easily encoded unsanitized input in the 'addcountry' API call allows an attacker with 'Geo Administration' rights to inject operating‑system commands. The flaw is a classic OS command injection (CWE‑77) and can lead to full remote code execution on the LoadMaster appliance. Because the vulnerability is accessed through API endpoints, an attacker can gain the same ability as the authenticated user, potentially compromising the entire ADC environment.

Affected Systems

Progress Software’s ADC portfolio is affected. The products listed are LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager. The CVE data does not specify affected releases or patch identifiers, so current installations of any version of these products should be evaluated for the presence of the 'addcountry' API and for the documented input validation flaw.

Risk and Exploitability

With a CVSS score of 8.4, this vulnerability falls into the high severity category. The EPSS score is not available, making it difficult to estimate how frequently exploit code is attempted against similar flaws, but the lack of a KEV listing suggests that it may not yet be actively exploited in the wild. The required conditions—valid credentials with Geo Administration, access to the vulnerable API, and unsanitized input—mean that an attacker can carry out the exploit remotely and without needing local privileges. The potential impact is complete compromise of the LoadMaster appliance, including data exfiltration, reboot, or service disruption.

Generated by OpenCVE AI on April 20, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for the affected Progress ADC products when released.
  • Restrict or remove Geo Administration permissions from non‑privileged users.
  • Configure the API endpoint to enforce input validation or limit allowed characters for the 'addcountry' parameter.
  • Use network segmentation and firewall rules to limit external reach to the LoadMaster appliance.

Generated by OpenCVE AI on April 20, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-20T14:06:19.122Z

Reserved: 2026-03-04T15:10:14.967Z

Link: CVE-2026-3517

cve-icon Vulnrichment

Updated: 2026-04-20T13:59:52.965Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:19.330

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-3517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses