Progress Software has issued security updates to address multiple vulnerabilities in its MOVEit WAF and LoadMaster products, warning that the flaws could allow attackers to execute arbitrary code and compromise systems.
The vulnerabilities include several high-severity issues—tracked as CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048—that impact APIs and user interfaces within Progress ADC products. These flaws stem largely from improper input validation, allowing authenticated users to inject malicious commands and potentially gain control over affected systems.
Specifically, certain commands such as “addcountry,” “aclcontrol,” and “killsession” fail to properly sanitize user input, creating opportunities for OS command injection and remote code execution. In addition, a vulnerability in the web application firewall (WAF) interface enables attackers to upload malicious rule files, which can lead to code execution during processing.
Another issue, identified as CVE-2026-21876, allows attackers to bypass firewall protections by exploiting weaknesses in how non-standard character sets are handled in HTTP multipart request headers.
Successful exploitation of these vulnerabilities could enable attackers with valid permissions to execute arbitrary commands on LoadMaster appliances and MOVEit WAF environments, posing serious risks to enterprise infrastructure.
Progress has released patches across multiple versions, including MOVEit WAF 7.2.63.0 and updated LoadMaster releases, and has urged organizations to apply updates immediately. Security agencies have also flagged these vulnerabilities as critical, noting their potential for remote exploitation and significant impact if left unpatched.
