Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Published: 2026-06-04
Score: 9.6 Critical
EPSS: 43.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to send unsanitized input to multiple command endpoints in the Progress ADC products. This flaw is an OS command injection (CWE‑77) that enables unauthenticated remote code execution on the LoadMaster appliance, resulting in full compromise of the system and loss of confidentiality, integrity, and availability.

Affected Systems

Affected vendors and products include Progress Software's LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF. No specific version numbers are provided in the advisory, so all current releases of these products are potentially impacted.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity. The EPSS score of 30% indicates a higher probability of exploitation, which remains above typical thresholds, thereby increasing the overall risk. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated API call to vulnerable command endpoints reachable from any network segment that can contact the device's management interface.

Generated by OpenCVE AI on July 14, 2026 at 01:52 UTC.

Remediation

Vendor Workaround

plain text


OpenCVE Recommended Actions

  • Apply the official vendor patch or upgrade to the latest release of LoadMaster, ECS Connections Manager, Object Scale Connection Manager, and MOVEit WAF.
  • If a patch cannot be applied immediately, apply the vendor‑provided workaround as described in the advisory, which may involve local configuration changes or operational restrictions consistent with the plain‑text instructions.
  • Restrict network traffic to the device's management and API interfaces and enforce authentication to limit exposure to potential attackers.
  • Because the flaw is OS command injection (CWE‑77), ensure that all inputs to command endpoints are properly validated or sanitized, and limit which system commands can be executed.

Generated by OpenCVE AI on July 14, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager
Vendors & Products Progress
Progress ecs Connection Manager
Progress loadmaster
Progress moveit Waf
Progress object Scale Connection Manager

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Title OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Progress Ecs Connection Manager Loadmaster Moveit Waf Object Scale Connection Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-07-01T03:55:43.480Z

Reserved: 2026-05-06T13:35:25.608Z

Link: CVE-2026-8037

cve-icon Vulnrichment

Updated: 2026-06-10T10:34:16.964Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T14:16:45.177

Modified: 2026-06-04T15:35:18.623

Link: CVE-2026-8037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T02:00:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')