{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3517", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2026-03-04T15:10:14.967Z", "datePublished": "2026-04-20T13:22:54.867Z", "dateUpdated": "2026-04-20T14:06:19.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-20T13:22:54.867Z"}, "title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-77", "description": "CWE-77", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "affected": [{"vendor": "Progress Software", "product": "LoadMaster", "versions": [{"status": "affected", "version": "7.1.32.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "ECS Connections Manager", "versions": [{"status": "affected", "version": "7.2.49.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "Object Scale Connection Manager", "versions": [{"status": "affected", "version": "7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "MOVEit WAF", "versions": [{"status": "affected", "version": "7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command"}]}], "references": [{"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Michael Argany of TrendAI Research", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T13:58:53.868792Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:06:19.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T13:58:53.868792Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:59:52.965Z"}}], "cna": {"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Argany of TrendAI Research"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "product": "LoadMaster", "versions": [{"status": "affected", "version": "7.1.32.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "ECS Connections Manager", "versions": [{"status": "affected", "version": "7.2.49.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "Object Scale Connection Manager", "versions": [{"status": "affected", "version": "7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "MOVEit WAF", "versions": [{"status": "affected", "version": "7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command", "supportingMedia": [{"type": "text/html", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-20T13:22:54.867Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3517", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:06:19.122Z", "dateReserved": "2026-03-04T15:10:14.967Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2026-04-20T13:22:54.867Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command"}], "id": "CVE-2026-3517", "lastModified": "2026-04-20T19:05:30.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2026-04-20T14:16:19.330", "references": [{"source": "security@progress.com", "url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:24:20.971674+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for the affected Progress ADC products when released.", "Restrict or remove Geo Administration permissions from non\u2011privileged users.", "Configure the API endpoint to enforce input validation or limit allowed characters for the 'addcountry' parameter.", "Use network segmentation and firewall rules to limit external reach to the LoadMaster appliance."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Progress Software\u2019s ADC portfolio is affected. The products listed are LoadMaster, ECS Connections Manager, MOVEit WAF, and Object Scale Connection Manager. The CVE data does not specify affected releases or patch identifiers, so current installations of any version of these products should be evaluated for the presence of the 'addcountry' API and for the documented input validation flaw.", "description_and_impact": "Easily encoded unsanitized input in the 'addcountry' API call allows an attacker with 'Geo Administration' rights to inject operating\u2011system commands. The flaw is a classic OS command injection (CWE\u201177) and can lead to full remote code execution on the LoadMaster appliance. Because the vulnerability is accessed through API endpoints, an attacker can gain the same ability as the authenticated user, potentially compromising the entire ADC environment.", "risk_and_exploitability": "With a CVSS score of 8.4, this vulnerability falls into the high severity category. The EPSS score is not available, making it difficult to estimate how frequently exploit code is attempted against similar flaws, but the lack of a KEV listing suggests that it may not yet be actively exploited in the wild. The required conditions\u2014valid credentials with Geo Administration, access to the vulnerable API, and unsanitized input\u2014mean that an attacker can carry out the exploit remotely and without needing local privileges. The potential impact is complete compromise of the LoadMaster appliance, including data exfiltration, reboot, or service disruption."}}}}, "created": "2026-04-20T15:30:06.168380+00:00", "updated": "2026-04-20T15:30:06.168397+00:00", "vendors": []}