Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
Published: 2026-04-20
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A flaw allowing an authenticated attacker with VS Administration permissions to supply unsanitized input to the 'aclcontrol' command in the API of several Progress ADC products leads to OS command injection (CWE‑77). The injected payload is executed directly on the appliance’s operating system, giving the attacker full remote code execution capabilities. This can compromise confidentiality, integrity, and availability by enabling arbitrary command execution, potential data exfiltration, and denial of service against the appliance.

Affected Systems

Affected vendor and product families are Progress Software ECS Connections Manager, Progress Software LoadMaster, Progress Software MOVEit WAF, and Progress Software Object Scale Connection Manager. No specific product versions were listed in the advisory; all current deployments of these products should verify whether they contain the patch for CVE‑2026‑3519.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. Exploitation requires authentication with VS Administration rights, which limits the attack surface to users with that privilege level. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Despite the lack of public exploit information, the impact of remote code execution remains substantial for any system that exposes the vulnerable API.

Generated by OpenCVE AI on April 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch that fixes CVE‑2026‑3519 to all affected Progress ADC products.
  • Restrict VS Administration permissions to only the users or processes that truly need them, removing unnecessary privileged access.
  • Implement input validation for any custom API extensions that invoke the 'aclcontrol' command, ensuring that only allowed, whitelisted arguments are accepted.
  • Monitor appliance logs for unexpected or malformed 'aclcontrol' command usage and other indicators of command‑injection activity.

Generated by OpenCVE AI on April 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-20T14:06:18.831Z

Reserved: 2026-03-04T15:10:17.159Z

Link: CVE-2026-3519

cve-icon Vulnrichment

Updated: 2026-04-20T13:59:47.729Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:19.683

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-3519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses