MOVEit WAF Critical Alert: Multi-Level RCE and WAF Bypass Vulnerabilities Disclosed

Progress Software has released a critical security bulletin for April 2026, revealing five high-impact vulnerabilities affecting MOVEit WAF and related Application Delivery Controller (ADC) products. These flaws present a dual threat: the ability for authenticated users to seize total system control and for attackers to slip malicious payloads past security filters.

The advisory highlights four distinct Remote Code Execution (RCE) vulnerabilities and a severe WAF Bypass mechanism.

Four vulnerabilities (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048) stem from “Improper Neutralization of Special Elements used in a Command”. These flaws allow authenticated attackers to “execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input” across various administrative functions.

• API Exploitation: Vulnerabilities were found in specific commands including addcountry, killsession, and aclcontrol.
• UI Exploitation: One flaw involves the file upload process for custom WAF rules, where unsanitized input can lead to a complete system breakout.

Perhaps most concerning is a logic bug in how the WAF handles HTTP multipart requests (CVE-2026-21876). While the system is designed to flag non-standard character sets to prevent evasion, a flaw in the iteration logic means validation only occurs against the final header observed.

The bulletin warns that “this vulnerability allows a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection”.

The vulnerabilities impact MOVEit WAF GA v7.2.62.2 and older. Additionally, these flaws affect other Progress ADC products, including Progress LoadMaster, ECS Connection Manager, and Object Scale Connection Manager.

Progress Software has officially addressed these risks and “strongly recommends performing an upgrade to the latest version”.

Administrators should download the updated firmware (MOVEit WAF v7.2.63.0) and checksum verification files from the Progress Customer Portal immediately.