Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF. The issues, tracked as CVE-2026-3517 and CVE-2026-3519, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as CWE-77 and carry a CVSS v3.1 vector of AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability.
CVE-2026-3517 allows an attacker with Geo Administration permissions to exploit the addcountry command, while CVE-2026-3519 requires VS Administration permissions to abuse the aclcontrol command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Progress Software disclosed and patched CVE-2026-21876, a high-severity WAF bypass in the OWASP Core Rule Set that could let unauthenticated attackers evade detection with a crafted multipart HTTP request. The company said MOVEit Cloud was already updated, urged customers to upgrade affected products, and noted it was not aware of active exploitation.
Progress published a security advisory covering CVE-2026-3519 along with several related vulnerabilities in its ADC products. The reference indicates public disclosure of the issue by April 20, 2026.
Progress received vulnerability reports on April 20, 2026 for two OS command injection flaws affecting its ADC products, specifically the LoadMaster appliance API. CVE-2026-3517 involves the 'addcountry' command and requires Geo Administration permissions, while CVE-2026-3519 involves the 'aclcontrol' command and requires VS Administration permissions.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
helpnetsecurity.com
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.