Description
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Published: 2026-04-20
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the user interface of Progress ADC products that allows an authenticated attacker with full administrative rights to upload a malicious custom WAF rule file and execute arbitrary commands on the LoadMaster appliance. Because the input is not sanitized, the attacker can run any system command, leading to complete compromise of confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Progress Software products LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager. Specific affected versions are not listed in the advisory, so any deployment of these products may be susceptible until patched.

Risk and Exploitability

The CVSS score of 8.4 classifies this as high severity. The exploit requires an attacker to authenticate with an account that has All permissions and to use the web UI to upload a crafted WAF rule file, so the attack vector is remote over a network connection to the management interface. While no EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog, the potential for remote code execution makes it a critical risk for systems that expose the admin interface to exposed networks or have privileged accounts that lack proper segregation.

Generated by OpenCVE AI on April 20, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to the most recent release of each affected product.
  • Configure the WAF to disallow or tightly validate rule-file uploads, ensuring that only allowable content is accepted and no shell metacharacters are processed.
  • Restrict user permissions so that only necessary accounts possess All permissions and monitor account activity for anomalous file-uploads or command execution.

Generated by OpenCVE AI on April 20, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-20T14:06:18.689Z

Reserved: 2026-03-12T12:17:05.403Z

Link: CVE-2026-4048

cve-icon Vulnrichment

Updated: 2026-04-20T13:59:45.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T14:16:20.700

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-4048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses