Introduction to Security Vulnerabilities
Progress Software has recently released patches for multiple security vulnerabilities in their MOVEit WAF and LoadMaster products, including remote code execution and OS command injection flaws. These vulnerabilities could be exploited by authenticated attackers with Geo Administration and VS Administration permissions, allowing them to execute arbitrary commands on the LoadMaster appliance. The flaws exist due to the lack of proper sanitization of user-supplied input in certain APIs.
The vulnerabilities are tracked as CVE-2026-3517 and CVE-2026-3519, and impact the APIs in Progress ADC products. Another issue, tracked as CVE-2026-3518, affects an API in the LoadMaster product and can be exploited by an authenticated attacker with All permissions. The flaw exists because the killsession command allows unsanitized input.
Security Defects and Exploitation
A fourth security defect, tracked as CVE-2026-4048, impacts the UI in Progress ADC products. An authenticated attacker with All permissions can inject code in a custom WAF rule file, leading to command execution as the input is improperly sanitized during the file upload process. The successful exploitation of these flaws could allow authenticated attackers to execute arbitrary commands and code on the LoadMaster and MOVEit WAF appliances.
Additionally, Progress announced fixes for CVE-2026-21876, a firewall policy bypass issue in the rule set to flag non-standard character sets used in HTTP multipart request headers. The flawed logic leads to character set validation being applied only to the last multipart content type header, even if the application iterates over all headers in the request.
Patching and Mitigation
Progress has patched the bugs in MOVEit WAF version 7.2.6.30, LoadMaster GA version 7.2.6.31, LoadMaster LTSF version 7.2.5.417, ECS Connection Manager version 7.2.6.31, and Connection Manager for ObjectScale version 7.2.6.31. The company says it has not received any reports of exploitation of these vulnerabilities in the wild. It is recommended that users apply the patches as soon as possible to mitigate the risks associated with these vulnerabilities.
Conclusion and Recommendations
In conclusion, the security vulnerabilities in MOVEit WAF and LoadMaster products have been addressed by Progress Software through the release of patches. It is essential for users to apply these patches to protect their systems from potential exploitation. By staying up-to-date with the latest security patches and best practices, users can ensure the security and integrity of their systems and data.
Future Security Considerations
As technology continues to evolve, it is crucial for users to remain vigilant and proactive in their approach to security. By staying informed about potential vulnerabilities and applying patches in a timely manner, users can help protect their systems and data from potential threats. The importance of security cannot be overemphasized, and it is essential for users to prioritize security in their daily operations.