Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

Summary

Progress Software released patches for five security flaws affecting MOVEit WAF and LoadMaster appliances, including CVE-2026-3517, CVE-2026-3519, CVE-2026-3518, CVE-2026-4048, and CVE-2026-21876. The vulnerabilities allow authenticated attackers with specific permissions to execute arbitrary commands, inject code, and bypass WAF detection through improper input sanitization. Progress has not reported active exploitation but urges immediate patching across affected product versions.

Full text

Progress Software on Monday rolled out patches for multiple MOVEit WAF and LoadMaster vulnerabilities that could lead to remote code execution (RCE) and OS command injection. Two of the bugs, CVE-2026-3517 and CVE-2026-3519, impact APIs in Progress ADC products and could be exploited by users with ‘Geo Administration’ and ‘VS Administration’ permissions for the execution of arbitrary commands on the LoadMaster appliance. The flaws exist because the ‘addcountry’ and ‘aclcontrol’ commands do not properly sanitize user-supplied input. Another issue, tracked as CVE-2026-3518, impacts an API in the ADC products’ LoadMaster and can be exploited by an authenticated attacker who has the ‘All’ permissions. It exists because the ‘killsession’ command allows unsanitized input. The fourth security defect, CVE-2026-4048, impacts the UI in Progress ADC products. An authenticated attacker with the ‘All’ permissions can inject code in a custom WAF rule file, leading to command execution as the input is improperly sanitized during the file upload process. On Monday, Progress also announced fixes for CVE-2026-21876, a firewall policy bypass issue in the rule set to flag non-standard character sets used in HTTP multipart request headers.Advertisement. Scroll to continue reading. The flawed logic leads to character set validation being applied only to the last multipart content type header, even if the application iterates over all headers in the request. “This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection,” Progress explains. Successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances. Progress patched the bugs in MOVEit WAF version 7.2.63.0, LoadMaster GA version 7.2.63.1, LoadMaster LTSF version 7.2.54.17, ECS Connection Manager version 7.2.63.1, and Connection Manager for ObjectScale version 7.2.63.1. The company says it has not received any reports that these vulnerabilities have been exploited, but urges customers to update their deployments as soon as possible. Related: Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities Related: Splunk Enterprise Update Patches Code Execution Vulnerability Related: Cisco Patches Critical Vulnerabilities in Webex, ISE Related: Two Vulnerabilities Patched in Ivanti Neurons for ITSM Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Half of the 6 Million Internet-Facing FTP Servers Lack EncryptionHackers Fail to Exploit Flaw in Discontinued TP-Link RoutersTycoon 2FA Loses Phishing Kit Crown Amid Surge in AttacksTwo North Korean IT Worker Scheme Facilitators Jailed in the USCursor AI Vulnerability Exposed Developer Devices53 DDoS Domains Taken Down by Law EnforcementArtemis Emerges From Stealth With $70 Million in FundingSplunk Enterprise Update Patches Code Execution Vulnerability Latest News Dozens of Malicious Crypto Apps Land in Apple App StoreUnsecured Perforce Servers Expose Sensitive Data From Major OrgsOrganizations Warned of Exploited Cisco, Kentico, Zimbra VulnerabilitiesData Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000$290 Million Kelp DAO Crypto Heist Blamed on North KoreaSerial-to-IP Converter Flaws Expose OT and Healthcare Systems to HackingBritish Scattered Spider Hacker Pleads Guilty in the USHackers Abuse QEMU for Defense Evasion Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveAnti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors.ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.More People On The MoveExpert Insights Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-3517
• cve — CVE-2026-3519
• cve — CVE-2026-3518
• cve — CVE-2026-4048
• cve — CVE-2026-21876

Entities