Progress LoadMaster API Flaws Enable Authenticated OS Command Injection
Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF. The issues, tracked as CVE-2026-3517 and CVE-2026-3519, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as CWE-77 and carry a CVSS v3.1 vector of AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability.
CVE-2026-3517 allows an attacker with Geo Administration permissions to exploit the addcountry command, while CVE-2026-3519 requires VS Administration permissions to abuse the aclcontrol command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.
Timeline
Apr 22, 2026
Progress patches MOVEit WAF bypass flaw CVE-2026-21876
Progress Software disclosed and patched CVE-2026-21876, a high-severity WAF bypass in the OWASP Core Rule Set that could let unauthenticated attackers evade detection with a crafted multipart HTTP request. The company said MOVEit Cloud was already updated, urged customers to upgrade affected products, and noted it was not aware of active exploitation.
Apr 20, 2026
Progress publishes advisory for CVE-2026-3519 and related CVEs
Progress published a security advisory covering CVE-2026-3519 along with several related vulnerabilities in its ADC products. The reference indicates public disclosure of the issue by April 20, 2026.
Apr 20, 2026
Progress receives reports for CVE-2026-3517 and CVE-2026-3519
Progress received vulnerability reports on April 20, 2026 for two OS command injection flaws affecting its ADC products, specifically the LoadMaster appliance API. CVE-2026-3517 involves the 'addcountry' command and requires Geo Administration permissions, while CVE-2026-3519 involves the 'aclcontrol' command and requires VS Administration permissions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Critical Authentication Bypass Flaws Disclosed in Progress MOVEit Automation
Progress Software disclosed two critical vulnerabilities in **MOVEit Automation**, including **CVE-2026-4670**, an improper authentication flaw that can allow authentication bypass over the network without user interaction. The issue is rated critical with CVSS `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating potential for high-impact compromise of confidentiality, integrity, and availability. Progress linked the flaw to **CWE-305** and included it in a security bulletin covering both **CVE-2026-4670** and **CVE-2026-5174**. The advisories affect multiple MOVEit Automation release branches, including versions prior to **2025.0.9**, **2024.1.8**, and releases before **2024.0.0**, with broader vendor and government guidance also referencing affected builds such as **2025.1.4 and earlier**, **2025.0.8 and earlier**, **2024.1.7 and earlier**, and **2024.0.0 and earlier**. The Canadian Centre for Cyber Security urged organizations to review the Progress bulletin and apply the required updates to mitigate exposure in internet-reachable file transfer automation environments.
2 days ago
Progress Flowmon Flaws Enable Command Execution and Admin Session Abuse
Progress disclosed two high-severity vulnerabilities in **Flowmon** that affect versions prior to **12.5.8**, with one issue also affecting versions prior to **13.0.6**. **CVE-2026-3692** is a `CWE-78` flaw that allows an authenticated low-privileged user to craft a request during report generation and trigger unintended command execution on the server, creating a path to compromise confidentiality, integrity, and availability without requiring user interaction. The second issue, **CVE-2026-2737**, is a `CWE-79` web-session attack in the Flowmon web application that can be triggered if an administrator clicks a malicious link supplied by an attacker. Progress said the flaw can cause unintended actions within the administrator’s authenticated session, exposing organizations to account misuse and broader system impact. The vulnerabilities were reported through Progress and documented in the vendor advisory portal, with affected customers urged to move to fixed releases **12.5.8** and **13.0.6** where applicable.
1 months ago
Progress ShareFile Storage Zones Controller Flaws Enable Unauthorized Access and RCE
Progress disclosed two high-severity vulnerabilities in **Customer Managed ShareFile Storage Zones Controller (SZC)** that could expose organizations to unauthorized access and remote code execution. **`CVE-2026-2699`** allows an unauthenticated attacker to reach restricted configuration pages, creating a path to unauthorized system configuration changes and possible code execution. The flaw is rated **CVSS 9.8** (`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`) and is associated with **CWE-284** and **CWE-698**. A second issue, **`CVE-2026-2701`**, allows an authenticated user to upload a malicious file to the server and execute it, resulting in remote code execution in ShareFile SZC environments. That vulnerability carries a **CVSS 8.8** rating (`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`) and is mapped to **CWE-94**, **CWE-78**, and **CWE-434**. The disclosures reference vendor security guidance for ShareFile and indicate that both flaws can significantly affect confidentiality, integrity, and availability in customer-managed deployments.
1 months ago