Description
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Published: 2026-04-20
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the user interface of Progress ADC products that allows an authenticated attacker with full administrative rights to upload a malicious custom WAF rule file and execute arbitrary commands on the LoadMaster appliance. Because the input is not sanitized, the attacker can run any system command, leading to complete compromise of confidentiality, integrity, and availability.

Affected Systems

The flaw affects the Progress Software products LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager. Specific affected versions are not listed in the advisory, so any deployment of these products may be susceptible until patched.

Risk and Exploitability

The CVSS score of 8.4 classifies this as high severity. The exploit requires an attacker to authenticate with an account that has All permissions and to use the web UI to upload a crafted WAF rule file, so the attack vector is remote over a network connection to the management interface. While no EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog, the potential for remote code execution makes it a critical risk for systems that expose the admin interface to exposed networks or have privileged accounts that lack proper segregation.

Generated by OpenCVE AI on April 20, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to the most recent release of each affected product.
  • Configure the WAF to disallow or tightly validate rule-file uploads, ensuring that only allowable content is accepted and no shell metacharacters are processed.
  • Restrict user permissions so that only necessary accounts possess All permissions and monitor account activity for anomalous file-uploads or command execution.

Generated by OpenCVE AI on April 20, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Progress connection Manager For Objectscale
CPEs cpe:2.3:a:progress:connection_manager_for_objectscale:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*
cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*
Vendors & Products Progress connection Manager For Objectscale

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager
Vendors & Products Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Progress Connection Manager For Objectscale Ecs Connection Manager Loadmaster Moveit Waf Object Scale Connection Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-22T03:55:54.495Z

Reserved: 2026-03-12T12:17:05.403Z

Link: CVE-2026-4048

cve-icon Vulnrichment

Updated: 2026-04-20T13:59:45.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T14:16:20.700

Modified: 2026-05-01T17:34:54.940

Link: CVE-2026-4048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:48:02Z

Weaknesses