Impact
The vulnerability allows an attacker to send unsanitized input to multiple command endpoints in the Progress ADC products. This flaw is an OS command injection (CWE‑77) that enables unauthenticated remote code execution on the LoadMaster appliance, resulting in full compromise of the system and loss of confidentiality, integrity, and availability.
Affected Systems
Affected vendors and products include Progress Software's LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. No specific version numbers are provided in the advisory, so all current releases of these products are potentially impacted.
Risk and Exploitability
The CVSS score of 9.6 indicates critical severity. The EPSS score of 30% indicates a higher probability of exploitation, which remains above typical thresholds, thereby increasing the overall risk. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated API call to vulnerable command endpoints reachable from any network segment that can contact the device's management interface.
OpenCVE Enrichment