Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Published: 2026-06-04
Score: 9.6 Critical
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection that allows an attacker to send unsanitized input to multiple command endpoints in the Progress ADC products. This flaw enables an unauthenticated attacker to execute arbitrary operating‑system commands on the LoadMaster appliance, leading to full compromise of the system and complete loss of confidentiality, integrity, and availability.

Affected Systems

Affected vendors and products include Progress Software’s LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. No specific version numbers are provided in the advisory, so all current releases of these products are potentially impacted.

Risk and Exploitability

The CVSS score of 9.6 indicates a critical severity. The EPSS score of 2% indicates a very low but non-zero probability of exploitation, but given the remote code execution nature and absence from KEV, the risk remains high. Based on the description, the likely attack vector is an unauthenticated API call to the vulnerable command endpoints, which could be executed from any network segment that can reach the device’s management interface.

Generated by OpenCVE AI on June 24, 2026 at 12:15 UTC.

Remediation

Vendor Workaround

plain text

OpenCVE Recommended Actions

  • Apply the official vendor patch or upgrade to the latest release of LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF.
  • If a patch cannot be applied immediately, apply the vendor‑provided workaround as described in the advisory, which may involve local configuration changes or operational restrictions consistent with the plain‑text instructions.
  • Restrict network traffic to the device’s management and API interfaces and enforce authentication to limit exposure to potential attackers.

Generated by OpenCVE AI on June 24, 2026 at 12:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager
Vendors & Products Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Progress Ecs Connection Manager Loadmaster Moveit Waf Object Scale Connection Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-10T10:34:22.183Z

Reserved: 2026-05-06T13:35:25.608Z

Link: CVE-2026-8037

cve-icon Vulnrichment

Updated: 2026-06-10T10:34:16.964Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T14:16:45.177

Modified: 2026-06-04T15:35:18.623

Link: CVE-2026-8037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:30:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')