Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
Published: 2026-04-20
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the progressive ADC product suite allows an authenticated attacker with "All" permissions to send a "killsession" command that is not properly sanitized, resulting in OS command injection. This enables full control over the appliance, including the ability to read, modify, or delete data and potentially compromise the entire network segment the device resides on. The weakness corresponds to CWE‑77.

Affected Systems

The vulnerability affects Progress Software ECS Connections Manager, LoadMaster, MOVEit WAF, and Object Scale Connection Manager. Specific version information is not disclosed; any installation exposing the vulnerable killsession API endpoint should be treated as potentially affected.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity for authenticated remote code execution. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog. An attacker would need valid credentials with "All" permissions to trigger the injection, which can be achieved through credential compromise or mis‑configuration, thereby enabling full control of the appliance.

Generated by OpenCVE AI on April 20, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑supplied patch that removes or secures the vulnerable killsession API endpoint.
  • If a patch is not yet available, disable or delete the killsession endpoint from the API to eliminate the injection surface.
  • Restrict API access to trusted administrative accounts only and remove "All" permissions where they are not required.
  • Configure network firewalls or API gateways to limit API exposure to known administrative IP ranges.

Generated by OpenCVE AI on April 20, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-20T14:06:18.977Z

Reserved: 2026-03-04T15:10:16.116Z

Link: CVE-2026-3518

cve-icon Vulnrichment

Updated: 2026-04-20T13:59:50.539Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:19.517

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-3518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:00:10Z

Weaknesses