Refine your search
9 vulnerabilities found for LoadMaster by Progress Software
CVE-2026-4048 (GCVE-0-2026-4048)
Vulnerability from cvelistv5
Published
2026-04-20 13:36
Modified
2026-04-20 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: V7.1.20.0 < V7.2.63.0 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:58:09.911245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:06:18.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.1.20.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process."
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:36:49.475Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-4048",
"datePublished": "2026-04-20T13:36:49.475Z",
"dateReserved": "2026-03-12T12:17:05.403Z",
"dateUpdated": "2026-04-20T14:06:18.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3519 (GCVE-0-2026-3519)
Vulnerability from cvelistv5
Published
2026-04-20 13:32
Modified
2026-04-20 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: V7.2.45.0 < V7.2.63.0 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:57:52.187676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:06:18.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.45.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cVS Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027aclcontrol\u0027 command"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cVS Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027aclcontrol\u0027 command"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:32:50.259Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3519",
"datePublished": "2026-04-20T13:32:50.259Z",
"dateReserved": "2026-03-04T15:10:17.159Z",
"dateUpdated": "2026-04-20T14:06:18.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3518 (GCVE-0-2026-3518)
Vulnerability from cvelistv5
Published
2026-04-20 13:29
Modified
2026-04-20 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: V7.2.37.0 < V7.2.63.0 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:57:37.380160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:06:18.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.37.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "V7.2.62.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Argany of TrendAI Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027killsession\u0027 command"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027killsession\u0027 command"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:29:33.794Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3518",
"datePublished": "2026-04-20T13:29:33.794Z",
"dateReserved": "2026-03-04T15:10:16.116Z",
"dateUpdated": "2026-04-20T14:06:18.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3517 (GCVE-0-2026-3517)
Vulnerability from cvelistv5
Published
2026-04-20 13:22
Modified
2026-04-20 14:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: 7.1.32.0 < V7.2.63.0 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:58:53.868792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:06:19.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.1.32.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ECS Connections Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.2.49.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Object Scale Connection Manager",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.2.62.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MOVEit WAF",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.63.0",
"status": "affected",
"version": "7.2.62.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Argany of TrendAI Research"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027addcountry\u0027 command"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cGeo Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the \u0027addcountry\u0027 command"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:22:54.867Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager \u0026 MOVEit WAF",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2026-3517",
"datePublished": "2026-04-20T13:22:54.867Z",
"dateReserved": "2026-03-04T15:10:14.967Z",
"dateUpdated": "2026-04-20T14:06:19.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13447 (GCVE-0-2025-13447)
Vulnerability from cvelistv5
Published
2026-01-13 14:31
Modified
2026-02-26 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: 7.2.50 < V7.2.62.2 Version: 7.1.32 < V7.2.62.2 Version: 7.2.37 < V7.2.62.2 Version: 7.2.39 < V7.2.62.2 Version: 7.2.50 < V7.2.54.16 Version: 7.1.32 < V7.2.54.16 Version: 7.2.37 < V7.2.54.16 Version: 7.2.39 < V7.2.54.16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T04:57:19.495084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:45.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"LoadMaster Appliance",
"MOVEit WAF Appliance",
"ECS Appliance",
"ObjectScale Appliance"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
},
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.1.32",
"versionType": "custom"
},
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.37",
"versionType": "custom"
},
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.39",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.1.32",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.37",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.39",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Converge Technology Solutions working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:31:56.911Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-13447",
"datePublished": "2026-01-13T14:31:56.911Z",
"dateReserved": "2025-11-19T19:18:13.816Z",
"dateUpdated": "2026-02-26T15:04:45.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13444 (GCVE-0-2025-13444)
Vulnerability from cvelistv5
Published
2026-01-13 14:26
Modified
2026-02-26 15:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Summary
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: 7.2.50 < V7.2.62.2 Version: 7.2.50 < V7.2.54.16 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T04:57:18.478535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:46.116Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"LoadMaster Appliance",
"MOVEit WAF Appliance",
"ECS Appliance",
"ObjectScale Appliance"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.2.62.2",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
},
{
"lessThan": "V7.2.54.16",
"status": "affected",
"version": "7.2.50",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Multi Tenant LoadMaster"
],
"product": "Multi Tenant LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "V7.1.35.15",
"status": "affected",
"version": "7.2.39",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams from Converge Technology Solutions working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with \u201cUser Administration\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T14:26:50.661Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2025-13444",
"datePublished": "2026-01-13T14:26:50.661Z",
"dateReserved": "2025-11-19T19:14:26.777Z",
"dateUpdated": "2026-02-26T15:04:46.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2449 (GCVE-0-2024-2449)
Vulnerability from cvelistv5
Published
2024-03-22 13:35
Modified
2024-08-12 19:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
A cross-site request forgery vulnerability has been identified in LoadMaster. It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: 7.2.55.0 ≤ Version: 7.2.49.0 ≤ Version: 7.2.48.10 ≤ Version: 7.1.35.10 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.568Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://progress.com/loadmaster"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.59.3",
"status": "affected",
"version": "7.2.55.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:loadmaster:*:*:*:*:lts:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "progress",
"versions": [
{
"lessThan": "7.2.48.11",
"status": "affected",
"version": "7.2.48.10",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "progress",
"versions": [
{
"lessThan": "7.2.54.9",
"status": "affected",
"version": "7.2.49.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:progress:loadmaster:*:*:*:*:ml:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "progress",
"versions": [
{
"lessThan": "7.1.35.11",
"status": "affected",
"version": "7.1.35.10",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2449",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-22T14:59:39.862131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:23:36.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"LoadMaster",
"Multi-Tenancy",
"ECS Connection Manager",
"LM 360 Connector"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "7.2.59.3 ( LoadMaster GA)",
"status": "affected",
"version": "7.2.55.0",
"versionType": "semver"
},
{
"lessThan": "7.2.54.9 ( LoadMaster LTSF)",
"status": "affected",
"version": "7.2.49.0",
"versionType": "semver"
},
{
"lessThan": "7.2.48.11 (LoadMaster LTS)",
"status": "affected",
"version": "7.2.48.10",
"versionType": "semver"
},
{
"lessThan": "7.1.35.11 (LoadMaster MT)",
"status": "affected",
"version": "7.1.35.10",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rhino Security Labs - David Yesland"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A cross-site request forgery vulnerability has been identified in LoadMaster.\u0026nbsp; It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator."
}
],
"value": "A cross-site request forgery vulnerability has been identified in LoadMaster.\u00a0 It is possible for a malicious actor, who has prior knowledge of the IP or hostname of a specific LoadMaster, to direct an authenticated LoadMaster administrator to a third-party site. In such a scenario, the CSRF payload hosted on the malicious site would execute HTTP transactions on behalf of the LoadMaster administrator."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:35:39.103Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://progress.com/loadmaster"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LoadMaster Cross-Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-2449",
"datePublished": "2024-03-22T13:35:39.103Z",
"dateReserved": "2024-03-14T12:32:14.175Z",
"dateUpdated": "2024-08-12T19:23:36.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2448 (GCVE-0-2024-2448)
Vulnerability from cvelistv5
Published
2024-03-22 13:32
Modified
2024-11-15 20:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
An OS command injection vulnerability has been identified in LoadMaster. An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: 7.2.55.0 ≤ Version: 7.2.49.0 ≤ Version: 7.2.48.10 ≤ Version: 7.1.35.10 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.59.3",
"status": "affected",
"version": "7.2.55.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.54.9",
"status": "affected",
"version": "7.2.49.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.48.11",
"status": "affected",
"version": "7.2.48.10",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.1.35.11",
"status": "affected",
"version": "7.1.35.10",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-25T16:42:59.399950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T20:05:31.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://progress.com/loadmaster"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"LoadMaster",
"Multi-Tenancy"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "7.2.59.3 ( LoadMaster GA)",
"status": "affected",
"version": "7.2.55.0",
"versionType": "semver"
},
{
"lessThan": "7.2.54.9 ( LoadMaster LTSF)",
"status": "affected",
"version": "7.2.49.0",
"versionType": "semver"
},
{
"lessThan": "7.2.48.11 (LoadMaster LTS)",
"status": "affected",
"version": "7.2.48.10",
"versionType": "semver"
},
{
"lessThan": "7.1.35.11 (LoadMaster MT)",
"status": "affected",
"version": "7.1.35.10",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rhino Security Labs - David Yesland"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An OS command injection vulnerability has been identified in LoadMaster.\u0026nbsp; An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection."
}
],
"value": "An OS command injection vulnerability has been identified in LoadMaster.\u00a0 An authenticated UI user with any permission settings may be able to inject commands into a UI component using a shell command resulting in OS command injection."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88: OS Command Injection"
}
]
},
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 API Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-22T13:32:43.657Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://progress.com/loadmaster"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/25119767150477-LoadMaster-Security-Vulnerabilities-CVE-2024-2448-and-CVE-2024-2449"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LoadMaster Command Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-2448",
"datePublished": "2024-03-22T13:32:43.657Z",
"dateReserved": "2024-03-14T12:32:13.199Z",
"dateUpdated": "2024-11-15T20:05:31.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1212 (GCVE-0-2024-1212)
Vulnerability from cvelistv5
Published
2024-02-21 17:39
Modified
2025-10-21 23:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Progress Software | LoadMaster |
Version: 7.2.48.1 ≤ Version: 7.2.54.0 ≤ Version: 7.2.55.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:24.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"product",
"x_transferred"
],
"url": "https://kemptechnologies.com/"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://freeloadbalancer.com/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.48.10",
"status": "affected",
"version": "7.2.48.1",
"versionType": "custom"
},
{
"lessThan": "7.2.54.8",
"status": "affected",
"version": "7.2.54.0",
"versionType": "custom"
},
{
"lessThan": "7.2.59.2",
"status": "affected",
"version": "7.2.55.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.48.10",
"status": "affected",
"version": "7.2.48.1",
"versionType": "custom"
},
{
"lessThan": "7.2.54.8",
"status": "affected",
"version": "7.2.54.0",
"versionType": "custom"
},
{
"lessThan": "7.2.59.2",
"status": "affected",
"version": "7.2.55.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:kemptechnologies:loadmaster:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "loadmaster",
"vendor": "kemptechnologies",
"versions": [
{
"lessThan": "7.2.48.10",
"status": "affected",
"version": "7.2.48.1",
"versionType": "custom"
},
{
"lessThan": "7.2.54.8",
"status": "affected",
"version": "7.2.54.0",
"versionType": "custom"
},
{
"lessThan": "7.2.59.2",
"status": "affected",
"version": "7.2.55.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1212",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T04:55:44.568916Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-11-18",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1212"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:23.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-1212"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-18T00:00:00.000Z",
"value": "CVE-2024-1212 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"LoadMaster Management Interface"
],
"platforms": [
"Linux"
],
"product": "LoadMaster",
"vendor": "Progress Software",
"versions": [
{
"lessThan": "7.2.48.10",
"status": "affected",
"version": "7.2.48.1",
"versionType": "semver"
},
{
"lessThan": "7.2.54.8",
"status": "affected",
"version": "7.2.54.0",
"versionType": "semver"
},
{
"lessThan": "7.2.59.2",
"status": "affected",
"version": "7.2.55.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rhino Security Labs"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUnauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution."
}
],
"impacts": [
{
"capecId": "CAPEC-113",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-113 API Manipulation"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T20:45:42.781Z",
"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"shortName": "ProgressSoftware"
},
"references": [
{
"tags": [
"product"
],
"url": "https://kemptechnologies.com/"
},
{
"tags": [
"product"
],
"url": "https://freeloadbalancer.com/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/24325072850573-Release-Notice-LMOS-7-2-59-2-7-2-54-8-7-2-48-10-CVE-2024-1212"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LoadMaster Pre-Authenticated OS Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
"assignerShortName": "ProgressSoftware",
"cveId": "CVE-2024-1212",
"datePublished": "2024-02-21T17:39:12.599Z",
"dateReserved": "2024-02-02T18:16:01.280Z",
"dateUpdated": "2025-10-21T23:05:23.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}