Ddos 
The Progress Kemp LoadMaster team has confirmed a significant security event involving five high-severity vulnerabilities affecting its application delivery controllers. These flaws, which impact both General Availability (GA) and Long-Term Support (LTSF) versions, could allow authenticated attackers to seize control of appliances or bypass critical security filters.
The advisory details two primary categories of risk: administrative command execution and the evasion of Web Application Firewall (WAF) rules.
Four of the disclosed vulnerabilities (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048) involve OS Command Injection. These flaws allow an authenticated user to move beyond the management interface and execute arbitrary commands directly on the underlying LoadMaster appliance.
- API Vulnerabilities: Most of these issues stem from “exploiting unsanitized input” within the LoadMaster API.
- WAF Rule Upload: One specific flaw, CVE-2026-4048, occurs during the file upload process for custom WAF rules in the user interface.
The fifth vulnerability targets the OWASP Core Rule Set (CRS) logic used by the LoadMaster WAF. Due to a bug in how the system iterates over multiple “Content-Type” headers in a single request, character set validation is only applied to the final header.
As noted in the advisory, “This vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection”.
The vulnerabilities affect several products within the Progress ecosystem:
| Affected Product | Vulnerable Versions | Fixed Versions |
|
LoadMaster GA |
v7.2.62.2 and older |
|
|
LoadMaster LTSF |
v7.2.54.16 and older |
|
|
ECS Connection Manager |
v7.2.62.2 and older |
|
|
Connection Manager for ObjectScale |
v7.2.62.2 and older |
While Progress reports they have “not received any reports that this vulnerability has been exploited,” the severity of the flaws makes immediate patching essential.
The LoadMaster team “strongly recommends performing an upgrade to the latest version” to mitigate these risks. Administrators should verify their current versioning and apply the April 20 patch distributed by Progress to ensure their application delivery infrastructure remains secure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
