CVE-2026-3518PATCHED

progress · adc

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command

Affected Products

Vendor	Product	Versions
progress	adc	V7.2.37.0, V7.2.49.0, V7.2.62.0, V7.2.62.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
kemp	loadmaster	cert_advisory	90%
progress	moveit	cert_advisory	90%

References

https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876(vendor-advisory)

Related News (4 articles)

Tier D

SecurityWeek9d ago

Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

→ No new info (linked only)

Tier B

BSI Advisories9d ago

[NEU] [hoch] Kemp LoadMaster und Progress Software MOVEit WAF: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CCCS Canada10d ago

Progress security advisory (AV26-371)

→ No new info (linked only)

Tier C

VulDB10d ago

CVE-2026-3518 | Progress LoadMaster prior 7.2.63.0 API command injection

→ No new info (linked only)

CVSS 3.18.4 HIGH

VectorCVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

V7.2.63.0

CWECWE-77

PublishedApr 20, 2026

Last enriched9d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-4670EXP

Improper Authentication vulnerability in Progress MOVEit Automation

Trending: 75

CRITICALCVE-2026-5174EXP

Improper Access Control Vulnerability in Progress MOVEit Automation

Trending: 60

HIGHCVE-2026-6022EXP

Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

Trending: 15

HIGHCVE-2026-3519

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Trending: 15

HIGHCVE-2026-4048

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Trending: 15

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 20, 2026

Discovered by ZDM

Apr 20, 2026

Updated: severity, tags

Apr 20, 2026

Updated: affectedVersions, tags

Apr 21, 2026

Patch Available

Apr 22, 2026

Version History

Last enriched 9d ago

v3Tier D9d ago

Updated affected versions to include V7.2.63.1 and V7.2.54.17, marked exploit availability as true, noted active exploitation, and added new CVE tags.

affectedVersionstags

via SecurityWeek

v2Tier C10d ago

Updated severity to CRITICAL, noted no available exploit, and added CVE-2026-3518 as a tag.

severitytags

via VulDB

v110d ago

Initial creation