Description
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Published: 2026-04-20
Score: 8.4 High
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the user interface of Progress ADC products that allows an authenticated attacker with full administrative rights to upload a malicious custom WAF rule file and execute arbitrary commands on the LoadMaster appliance. Because the input is not sanitized, the attacker can run any system command, leading to complete compromise of confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Progress Software products LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager. Specific affected versions are not listed in the advisory, so any deployment of these products may be susceptible until patched.

Risk and Exploitability

The CVSS score of 8.4 classifies this as high severity. The exploit requires an attacker to authenticate with an account that has All permissions and to use the web UI to upload a crafted WAF rule file, so the attack vector is remote over a network connection to the management interface. The EPSS score of 2% indicates a moderate likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog; the potential for remote code execution makes it a high risk for systems that expose the admin interface to exposed networks or have privileged accounts that lack proper segregation.

Generated by OpenCVE AI on June 18, 2026 at 08:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to the most recent release of each affected product.
  • Configure the WAF to disallow or tightly validate rule-file uploads, ensuring that only allowable content is accepted and no shell metacharacters are processed.
  • Restrict user permissions so that only necessary accounts possess All permissions and monitor account activity for anomalous file-uploads or command execution.

Generated by OpenCVE AI on June 18, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Progress connection Manager For Objectscale
CPEs cpe:2.3:a:progress:connection_manager_for_objectscale:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*
cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*
Vendors & Products Progress connection Manager For Objectscale

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager
Vendors & Products Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Progress Connection Manager For Objectscale Ecs Connection Manager Loadmaster Moveit Waf Object Scale Connection Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-22T03:55:54.495Z

Reserved: 2026-03-12T12:17:05.403Z

Link: CVE-2026-4048

cve-icon Vulnrichment

Updated: 2026-04-20T13:59:45.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T14:16:20.700

Modified: 2026-06-17T10:55:54.260

Link: CVE-2026-4048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:00:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')