PROGRESS Software has issued patches for multiple MOVEit WAF and LoadMaster vulnerabilities that could allow remote code execution and OS command injection. The fixes address CVE-2026-3517 and CVE-2026-3519 in APIs used by Progress ADC products, which could be exploited by users with Geo Administration or VS Administration permissions to run arbitrary commands on the LoadMaster appliance.
Another issue, CVE-2026-3518, affects an API in the ADC products’ LoadMaster and can be exploited by an authenticated attacker with All permissions due to unsanitised input in the killsession command. A fourth defect, CVE-2026-4048, impacts the UI and could let an authenticated attacker with All permissions inject code into a custom WAF rule file during upload. Additionally, CVE-2026-21876 describes a firewall policy bypass in the rule set for non-standard character sets used in HTTP multipart request headers.
Patches are available for MOVEit WAF version 7.2.63[.]0 and LoadMaster GA 7.2.63[.]1, among other components, though Progress says it has not received reports of exploitation.