[{"data":1,"prerenderedAt":153},["ShallowReactive",2],{"article-slug-progress-patches-command-injection-flaws-in-moveit-waf-and-loadmaster":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":15,"entities":16,"cves":30,"sources":41,"events":54,"mitre_techniques":58,"mitre_mitigations":71,"d3fend_countermeasures":108,"iocs":117,"cyber_observables":118,"tags":135,"extract_datetime":142,"article_type":143,"impact_scope":144,"pub_date":45,"reading_time_minutes":152,"createdAt":142,"updatedAt":142},"44a0ce0e-fa55-4c9c-a11a-cc688f0a7d1e","progress-patches-command-injection-flaws-in-moveit-waf-and-loadmaster","Progress Patches Critical Command Injection Flaws in MOVEit WAF and LoadMaster","Progress Software Patches Multiple Command Injection and WAF Bypass Vulnerabilities in ADC Products","Progress Software has released patches for a suite of vulnerabilities in its Application Delivery Controller (ADC) products, including MOVEit WAF and LoadMaster. The patched flaws include several authenticated command injection vulnerabilities (CVE-2026-3517, CVE-2026-3519, CVE-2026-3518, CVE-2026-4048) that could lead to remote code execution. Additionally, a WAF policy bypass flaw (CVE-2026-21876) was addressed. While the command injection bugs require authentication, they pose a significant risk, allowing privileged users to execute arbitrary OS commands. Customers are urged to apply the updates immediately.","## Executive Summary\n\n**[Progress Software](https://www.progress.com/)** has released security updates to address five vulnerabilities across its Application Delivery Controller (ADC) product line, which includes **MOVEit WAF** and **LoadMaster**. The vulnerabilities, patched on April 20, 2026, primarily consist of authenticated command injection flaws that could allow an attacker with specific administrative permissions to achieve remote code execution (RCE) on the appliance. The patched vulnerabilities are **CVE-2026-3517**, **CVE-2026-3519**, **CVE-2026-3518**, and **CVE-2026-4048** (command injection), and **CVE-2026-21876** (WAF bypass). Given the history of Progress products being high-value targets for threat actors, organizations are strongly advised to apply the necessary updates as soon as possible.\n\n---\n\n## Vulnerability Details\n\nThe patched vulnerabilities allow authenticated attackers to perform actions beyond their intended privileges, potentially leading to a full compromise of the appliance.\n\n### Command Injection Vulnerabilities\nThese flaws stem from the failure to properly sanitize user-supplied input in various API commands and UI functions.\n-   **CVE-2026-3517 & CVE-2026-3519:** These are command injection flaws in the `addcountry` and `aclcontrol` API commands, respectively. An attacker with 'Geo Administration' or 'VS Administration' permissions could inject and execute arbitrary OS commands.\n-   **CVE-2026-3518:** This flaw affects the `killsession` API command in LoadMaster. An authenticated attacker with 'All' permissions could execute commands due to unsanitized input.\n-   **CVE-2026-4048:** This is a UI-based command injection vulnerability. An attacker with 'All' permissions could upload a custom WAF rule file containing malicious code, leading to command execution on the appliance.\n\n### WAF Bypass Vulnerability\n-   **CVE-2026-21876:** This vulnerability allows for a bypass of the Web Application Firewall. The rule set designed to validate character sets in HTTP multipart request headers only checked the last header. An attacker could craft a request with a malicious payload encoded in an earlier multipart header to bypass WAF detection and potentially attack the backend application.\n\n## Affected Systems\n\nThe vulnerabilities affect a range of Progress ADC products, including:\n-   **MOVEit WAF**\n-   **LoadMaster**\n-   **ECS Connection Manager**\n-   **Connection Manager for ObjectScale**\n\nProgress has released patched versions, including `MOVEit WAF 7.2.63.0` and `LoadMaster GA 7.2.63.1`, to address these issues.\n\n## Exploitation Status\n\nAs of the announcement, there is no evidence that these specific vulnerabilities are being exploited in the wild. However, vulnerabilities in edge network appliances like ADCs are highly sought after by attackers as they provide a direct path into a corporate network.\n\n## Impact Assessment\n\nWhile the command injection vulnerabilities require authentication, a successful exploit would be severe. An attacker who compromises a low-privileged admin account (e.g., through phishing or credential stuffing) could potentially leverage these flaws to escalate privileges and gain full root access to the appliance. From there, they could intercept, decrypt, and modify traffic passing through the device, disable security controls, or use the appliance as a pivot point to attack the internal network. The WAF bypass vulnerability (**CVE-2026-21876**) exposes backend web applications to a range of attacks that the WAF is intended to prevent, such as SQL injection or cross-site scripting.\n\n## Cyber Observables — Hunting Hints\n\nThe following patterns could help identify attempts to exploit these vulnerabilities:\n\n| Type | Value | Description | Context |\n| :--- | :--- | :--- | :--- |\n| Log Source | ADC Appliance Audit Logs | Look for suspicious or malformed inputs related to the `addcountry`, `aclcontrol`, or `killsession` commands. | LoadMaster/MOVEit WAF system logs. |\n| File Path | Custom WAF rule files | Monitor for the upload of new or modified custom WAF rule files, especially if they contain unexpected scripts or commands. | File integrity monitoring on the appliance. |\n| Network Traffic Pattern | Suspicious requests with multiple multipart headers using non-standard character sets. | This could indicate an attempt to exploit the WAF bypass (CVE-2026-21876). | WAF logs, network traffic captures. |\n\n## Detection Methods\n\n1.  **Audit Log Review:** Regularly review the audit logs on Progress ADC appliances for any unusual administrative activity, particularly related to the vulnerable API commands or custom WAF rule management.\n2.  **Vulnerability Scanning:** Use vulnerability scanners to identify unpatched instances of MOVEit WAF and LoadMaster in your environment.\n3.  **Configuration Review:** Periodically review the roles and permissions of all administrative accounts on the appliances. Ensure the principle of least privilege is followed.\n\n## Remediation Steps\n\n1.  **Apply Updates:** The primary remediation is to update all affected Progress ADC products to the patched versions provided by Progress Software.\n2.  **Review Accounts:** Audit all administrative accounts on the appliances. Remove any that are unnecessary and ensure strong, unique passwords and MFA (if available) are used for the rest.\n3.  **Restrict Access:** Ensure the management interfaces for these appliances are not exposed to the internet and are only accessible from a secure, trusted network segment.","PATCH NOW: Progress Software fixes multiple command injection & WAF bypass flaws in MOVEit WAF and LoadMaster. Vulnerabilities (CVE-2026-3517, etc.) could lead to RCE. Update to the latest versions immediately! 🔒 #Vulnerability #PatchTuesday #MOVEit","Progress Software patches multiple command injection vulnerabilities (CVE-2026-3517, CVE-2026-3519, etc.) and a WAF bypass flaw in its MOVEit WAF and LoadMaster products.",[13,14],"Vulnerability","Patch Management","high",[17,21,24,26,28],{"name":18,"type":19,"url":20},"Progress Software","vendor","https://www.progress.com/",{"name":22,"type":23},"MOVEit WAF","product",{"name":25,"type":23},"LoadMaster",{"name":27,"type":23},"ECS Connection Manager",{"name":29,"type":23},"Connection Manager for ObjectScale",[31,33,35,37,39],{"id":32},"CVE-2026-3517",{"id":34},"CVE-2026-3519",{"id":36},"CVE-2026-3518",{"id":38},"CVE-2026-4048",{"id":40},"CVE-2026-21876",[42,48],{"url":43,"title":44,"date":45,"friendly_name":46,"website":47},"https://www.securityweek.com/progress-patches-multiple-vulnerabilities-in-moveit-waf-loadmaster/","Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster","2026-04-21","SecurityWeek","securityweek.com",{"url":49,"title":50,"date":51,"friendly_name":52,"website":53},"https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447","MOVEit WAF Vulnerabilities: CVE-2025-13444 / CVE-2025-13447","2026-01-13","Progress Community","community.progress.com",[55],{"datetime":56,"summary":57},"2026-04-20T00:00:00Z","Progress Software issues security updates to address five vulnerabilities in its ADC product line.",[59,63,67],{"id":60,"name":61,"tactic":62},"T1059.004","Unix Shell","Execution",{"id":64,"name":65,"tactic":66},"T1190","Exploit Public-Facing Application","Initial Access",{"id":68,"name":69,"tactic":70},"T1068","Exploitation for Privilege Escalation","Privilege Escalation",[72,82,99],{"id":73,"name":74,"d3fend_techniques":75,"description":80,"domain":81},"M1051","Update Software",[76],{"id":77,"name":78,"url":79},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","The primary and most effective mitigation is to apply the security updates provided by Progress Software.","enterprise",{"id":83,"name":84,"d3fend_techniques":85,"description":98,"domain":81},"M1026","Privileged Account Management",[86,90,94],{"id":87,"name":88,"url":89},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring",{"id":91,"name":92,"url":93},"D3-LAM","Local Account Monitoring","https://d3fend.mitre.org/technique/d3f:LocalAccountMonitoring",{"id":95,"name":96,"url":97},"D3-SPP","Strong Password Policy","https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy","Since the vulnerabilities require authentication, auditing and limiting privileged accounts reduces the attack surface.",{"id":100,"name":101,"d3fend_techniques":102,"description":107,"domain":81},"M1035","Limit Access to Resource Over Network",[103],{"id":104,"name":105,"url":106},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Restrict access to the appliance's management interface to a secure, isolated network segment.",[109,111],{"technique_id":77,"technique_name":78,"url":79,"recommendation":110,"mitre_mitigation_id":73},"The immediate and most crucial action for all organizations using Progress MOVEit WAF, LoadMaster, or other affected ADC products is to apply the security patches released on April 20, 2026. These updates directly address the root cause of the command injection and WAF bypass vulnerabilities. Create an emergency change request to deploy the patched versions, such as `MOVEit WAF 7.2.63.0` and `LoadMaster GA 7.2.63.1`. Prioritize patching internet-facing appliances first. Given that these are authenticated vulnerabilities, the risk may seem lower, but a determined attacker can find ways to acquire credentials. Patching is the only way to fully eliminate the risk posed by these specific CVEs.",{"technique_id":112,"technique_name":113,"url":114,"recommendation":115,"mitre_mitigation_id":116},"D3-UAP","User Account Permissions","https://d3fend.mitre.org/technique/d3f:UserAccountPermissions","As a powerful compensating control, organizations should conduct a thorough audit of all user accounts and permissions on their Progress ADC appliances. Since vulnerabilities like CVE-2026-3517 and CVE-2026-3519 require specific administrative roles ('Geo Administration', 'VS Administration'), enforcing the principle of least privilege is critical. Review every account with these or 'All' permissions. Do they absolutely need this level of access? Can their permissions be downgraded? Remove any dormant or unnecessary accounts. For remaining privileged accounts, ensure they are used only when necessary and that their activity is closely monitored. By minimizing the number of accounts that can access the vulnerable API functions, you significantly reduce the likelihood that a compromised account could be used to exploit these command injection flaws.","M1018",[],[119,125,130],{"type":120,"value":121,"description":122,"context":123,"confidence":124},"log_source","ADC Appliance Audit Logs","Look for suspicious or malformed inputs related to the `addcountry`, `aclcontrol`, or `killsession` commands, which could indicate exploitation attempts.","LoadMaster/MOVEit WAF system logs ingested into a SIEM.","medium",{"type":126,"value":127,"description":128,"context":129,"confidence":15},"file_path","/var/airlock/waf/custom-rules/","Monitor for the upload of new or modified custom WAF rule files, especially if they contain unexpected scripts or commands, relating to CVE-2026-4048.","File integrity monitoring on the appliance.",{"type":131,"value":132,"description":133,"context":134,"confidence":124},"network_traffic_pattern","HTTP requests with multiple `Content-Type: multipart/form-data` headers.","A crafted request with multiple multipart headers using non-standard character sets could indicate an attempt to exploit the WAF bypass (CVE-2026-21876).","WAF logs, full packet capture analysis.",[18,136,25,137,138,139,140,141],"MOVEit","vulnerability","command injection","RCE","WAF bypass","patch management","2026-04-21T15:00:00.000Z","Advisory",{"geographic_scope":145,"industries_affected":146,"other_affected":150},"global",[147,148,149],"Technology","Finance","Healthcare",[151],"Users of Progress Software ADC products",4,1776792985743]