On Monday, Progress Software delivered essential updates aimed at addressing several vulnerabilities in their MOVEit WAF and LoadMaster solutions. These vulnerabilities, if left unchecked, could lead to remote code execution (RCE) and operating system command injection, posing significant risks to users.
Details of the Vulnerabilities
The first two vulnerabilities, identified as CVE-2026-3517 and CVE-2026-3519, affect certain APIs in Progress ADC products. Users with ‘Geo Administration’ and ‘VS Administration’ permissions could exploit these flaws to execute arbitrary commands on the LoadMaster appliance. The vulnerabilities arise from insufficient input validation in the ‘addcountry’ and ‘aclcontrol’ commands.
A separate issue, CVE-2026-3518, also impacts the LoadMaster API. An attacker with authenticated access and ‘All’ permissions could leverage the unsanitized input in the ‘killsession’ command to their advantage. This flaw underscores the need for rigorous input sanitization across all command interfaces.
Additional Security Concerns
Another significant security defect, CVE-2026-4048, pertains to the user interface of Progress ADC products. Authenticated attackers with comprehensive permissions could inject malicious code into a custom WAF rule file due to improper input sanitation during file uploads. This vulnerability facilitates command execution, highlighting the critical nature of effective input handling.
Moreover, Progress has addressed CVE-2026-21876, which involves a firewall policy bypass. This flaw allowed a specially crafted multipart request containing an encoded payload to bypass WAF detection due to flawed character set validation logic.
Recommendations and Future Outlook
Progress has released patches in specific versions: MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1. Although there have been no reports of these vulnerabilities being exploited in the wild, the company strongly advises its customers to update their systems promptly.
As cybersecurity threats continue to evolve, organizations must stay vigilant and proactive. Keeping systems updated with the latest security patches is crucial in maintaining robust defenses against potential attacks.
