"Two of the bugs, CVE-2026-3517 and CVE-2026-3519, impact APIs in Progress ADC products and could be exploited by users with 'Geo Administration' and 'VS Administration' permissions for the execution of arbitrary commands on the LoadMaster appliance."
"The fourth security defect, CVE-2026-4048, impacts the UI in Progress ADC products. An authenticated attacker with the 'All' permissions can inject code in a custom WAF rule file, leading to command execution as the input is improperly sanitized during the file upload process."
"This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection, leading to potential exploitation by authenticated attackers."
Progress Software addressed several vulnerabilities in MOVEit WAF and LoadMaster products that could allow remote code execution and OS command injection. Key issues include improper input sanitization in commands like 'addcountry' and 'aclcontrol', which can be exploited by users with specific permissions. Another vulnerability allows authenticated attackers to inject code through a custom WAF rule file. Additionally, a firewall policy bypass issue was identified, enabling malicious payloads to evade detection. Patches were released for various product versions to mitigate these risks.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]