Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

Progress Software on Monday rolled out patches for multiple MOVEit WAF and LoadMaster vulnerabilities that could lead to remote code execution (RCE) and OS command injection. Two of the bugs, CVE-2026-3517 and CVE-2026-3519, impact APIs in Progress ADC products and could be exploited by users with ‘Geo Administration’ and ‘VS Administration’ permissions for the execution of arbitrary commands on the LoadMaster appliance. The flaws exist because the ‘addcountry’ and ‘aclcontrol’ commands do not properly sanitize user-supplied input. Another issue, tracked as CVE-2026-3518, impacts an API in the ADC products’ LoadMaster and can be exploited by an authenticated attacker who has the ‘All’ permissions. It exists because the ‘killsession’ command allows unsanitized input. The fourth security defect, CVE-2026-4048, impacts the UI in Progress ADC products. An authenticated attacker with the ‘All’ permissions can inject code in a custom WAF rule file, leading to command execution as the input is improperly sanitized during the file upload process. On Monday, Progress also announced fixes for CVE-2026-21876, a firewall policy bypass issue in the rule set to flag non-standard character sets used in HTTP multipart request headers. The flawed logic leads to character set validation being applied only to the last multipart content type header, even if the application iterates over all headers in the request. “This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection,” Progress explains. Successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances. Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1. The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible. Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities Related: Splunk Enterprise Update Patches Code Execution Vulnerability Related: Cisco Patches Critical Vulnerabilities in Webex, ISE Related: Two Vulnerabilities Patched in Ivanti Neurons for ITSM WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Hackers Abuse QEMU for Defense Evasion Half of the 6 Million Internet-Facing FTP Servers Lack Encryption Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks Two North Korean IT Worker Scheme Facilitators Jailed in the US Cursor AI Vulnerability Exposed Developer Devices 53 DDoS Domains Taken Down by Law Enforcement Artemis Emerges From Stealth With $70 Million in Funding Latest News Third US Security Expert Admits Helping Ransomware Gang Dozens of Malicious Crypto Apps Land in Apple App Store Unsecured Perforce Servers Expose Sensitive Data From Major Orgs Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000 $290 Million Kelp DAO Crypto Heist Blamed on North Korea Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking British Scattered Spider Hacker Pleads Guilty in the US Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email