{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3518", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2026-03-04T15:10:16.116Z", "datePublished": "2026-04-20T13:29:33.794Z", "dateUpdated": "2026-04-20T14:06:18.977Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-20T13:29:33.794Z"}, "title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-77", "description": "CWE-77", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "affected": [{"vendor": "Progress Software", "product": "LoadMaster", "versions": [{"status": "affected", "version": "V7.2.37.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "ECS Connections Manager", "versions": [{"status": "affected", "version": "V7.2.49.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "Object Scale Connection Manager", "versions": [{"status": "affected", "version": "V7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "MOVEit WAF", "versions": [{"status": "affected", "version": "V7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command"}]}], "references": [{"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Michael Argany of TrendAI Research", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T13:57:37.380160Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:06:18.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T13:57:37.380160Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:59:50.539Z"}}], "cna": {"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Argany of TrendAI Research"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "product": "LoadMaster", "versions": [{"status": "affected", "version": "V7.2.37.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "ECS Connections Manager", "versions": [{"status": "affected", "version": "V7.2.49.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "Object Scale Connection Manager", "versions": [{"status": "affected", "version": "V7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Progress Software", "product": "MOVEit WAF", "versions": [{"status": "affected", "version": "V7.2.62.0", "lessThan": "V7.2.63.0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command", "supportingMedia": [{"type": "text/html", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-20T13:29:33.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3518", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:06:18.977Z", "dateReserved": "2026-03-04T15:10:16.116Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2026-04-20T13:29:33.794Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with \u201cAll\u201d permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command"}], "id": "CVE-2026-3518", "lastModified": "2026-04-20T14:16:19.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2026-04-20T14:16:19.517", "references": [{"source": "security@progress.com", "url": "https://community.progress.com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:55:14.287462+00:00", "value": {"mitigation_remediation": ["Install the vendor\u2011supplied patch that removes or secures the vulnerable killsession API endpoint.", "If a patch is not yet available, disable or delete the killsession endpoint from the API to eliminate the injection surface.", "Restrict API access to trusted administrative accounts only and remove \"All\" permissions where they are not required.", "Configure network firewalls or API gateways to limit API exposure to known administrative IP ranges."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via OS Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Progress Software ECS Connections Manager, LoadMaster, MOVEit WAF, and Object Scale Connection Manager. Specific version information is not disclosed; any installation exposing the vulnerable killsession API endpoint should be treated as potentially affected.", "description_and_impact": "A flaw in the progressive ADC product suite allows an authenticated attacker with \"All\" permissions to send a \"killsession\" command that is not properly sanitized, resulting in OS command injection. This enables full control over the appliance, including the ability to read, modify, or delete data and potentially compromise the entire network segment the device resides on. The weakness corresponds to CWE\u201177.", "risk_and_exploitability": "The CVSS score of 8.4 indicates a high severity for authenticated remote code execution. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog. An attacker would need valid credentials with \"All\" permissions to trigger the injection, which can be achieved through credential compromise or mis\u2011configuration, thereby enabling full control of the appliance."}}}}, "created": "2026-04-20T16:00:10.644327+00:00", "updated": "2026-04-20T16:00:10.644338+00:00", "vendors": []}