Zero Day MonitorZDM

← Back to list

8.4

CVE-2026-3519PATCHED

progress · adc

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command

Affected Products

Vendor	Product	Versions
progress	adc	V7.2.45.0, V7.2.49.0, V7.2.62.0, V7.2.62.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
kemp	loadmaster	cert_advisory	90%
progress	moveit	cert_advisory	90%

References

https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories9d ago

[NEU] [hoch] Kemp LoadMaster und Progress Software MOVEit WAF: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CCCS Canada10d ago

Progress security advisory (AV26-371)

→ No new info (linked only)

Tier C

VulDB10d ago

CVE-2026-3519 | Progress LoadMaster prior 7.2.63.0 API command injection

→ No new info (linked only)

CVSS 3.18.4 HIGH

VectorCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

V7.2.63.0

CWECWE-77

PublishedApr 20, 2026

Last enriched10d agov2

Tags

CVE-2026-3519

Trending Score15

Source articles3

Independent3

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-4670EXP

Improper Authentication vulnerability in Progress MOVEit Automation

CRITICALCVE-2026-5174EXP

Improper Access Control Vulnerability in Progress MOVEit Automation

HIGHCVE-2026-3518

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

HIGHCVE-2026-6022EXP

Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

HIGHCVE-2026-4048

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 20, 2026

Discovered by ZDM

Apr 20, 2026

Updated: severity, tags

Apr 20, 2026

Patch Available

Apr 22, 2026

Version History

v2

Last enriched 10d ago

v2Tier C10d ago

Updated severity to CRITICAL, marked exploit availability as false, and added CVE-2026-3519 tag.

severitytags

via VulDB

v110d ago

Initial creation