Ddos 
Progress Software Corporation has kicked off the 2026 security calendar with an important update for its network infrastructure products. On January 12, 2026, the vendor released patches addressing two high-severity Command Injection vulnerabilities that could allow remote attackers to execute malicious code on LoadMaster load balancers and MOVEit Web Application Firewalls (WAF).
The vulnerabilities, tracked as CVE-2025-13444 and CVE-2025-13447, both carry a CVSS score of 8.4, signaling a significant risk to organizations relying on these tools for application delivery and security.
The flaws reside in the User Interface (UI) and Application Programming Interface (API) of the affected products. By sending specially crafted requests to specific endpoints, an attacker could inject arbitrary system commands.
- CVE-2025-13444: This vulnerability targets the getcipherset command within the UI/API.
- CVE-2025-13447: This flaw affects a broader range of administrative commands, including addapikey, delapikey, delcert, dmidecode, listapikeys, and ssodomain.
If exploited, these “UI/API Command Injection Remote Code Execution” vulnerabilities could grant an attacker full control over the appliance.
Progress Software has confirmed that, as of the release date, there is no evidence of these flaws being used in the wild.
“We have not received any reports that these vulnerabilities have been exploited, and we are not aware of any direct operational impact on customers,” the advisory states.
However, the vendor explicitly recommends: “Nevertheless, all vulnerable systems should be patched appropriately to avoid exploitation of these vulnerabilities”.
The security update covers a wide range of deployments, including standard LoadMaster appliances, Long-Term Support Firmware (LTSF), and multi-tenant environments.
Administrators are urged to upgrade to the following versions immediately:
- LoadMaster GA: Upgrade to 7.2.62.2 (fixes 7.2.62.0 and prior).
- LoadMaster LTSF: Upgrade to 7.2.54.16 (fixes 7.2.54.15 and prior).
- Multi-Tenant Hypervisor: Upgrade to 7.1.35.15 (fixes 7.1.35.11 and prior).
- MOVEit WAF: Upgrade to 7.2.62.2 (fixes 7.2.62.1).
For organizations running the Multi-Tenant LoadMaster (LoadMaster MT), the patch process requires a two-step approach. The advisory notes a specific distinction in how the components are affected: “The MT hypervisor or Manager node is vulnerable to CVE-2025-13444 (only) and must be patched using the update listed above as soon as possible” .
However, the individual Virtual Network Functions (VNFs) running inside the environment are vulnerable to both CVEs and must be patched individually using the appropriate GA or LTSF release.
Donate