HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-8037Published Modified CNA ProgressSoftware

CVE-2026-8037: OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
V7.2.54.18
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF allows an unauthenticated attacker on an adjacent network to execute arbitrary operating system commands on the appliance. The flaw exists because multiple API command endpoints pass user-supplied input to the underlying OS without sanitization, and no credentials are required to trigger it. Successful exploitation gives the attacker full remote code execution on the affected appliance, with high impact to confidentiality, integrity, and availability. Patched-image rebuilds at V7.2.54.18 and V7.2.63.2 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-8037 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Progress ADC base layers.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.6 Critical and weighting it against each environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

For environments running an affected version range, a patched-image rebuild at V7.2.54.18 or V7.2.63.2 becomes available as soon as HarborGuard processes the fix metadata. For customers who opt into auto-remediation, the platform can trigger a rebuild, run a regression test suite, and open a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attack requires adjacency to the target network, meaning the attacker must be on the same LAN, VLAN, or connected VPN segment as the affected appliance.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable API endpoints accept and process unauthenticated requests.

  • Victim interactionNot required

    The attacker sends a crafted request directly to the appliance; no user action or interaction is involved.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; no race conditions, memory layout dependencies, or special environmental factors are required.

Blast Radius

  • Attacker executes arbitrary operating system commands as a privileged process on the affected appliance, effectively owning the host.
  • All data handled by the appliance, including proxied traffic, session state, and stored credentials, is readable by the attacker.
  • The attacker can modify appliance configuration, routing rules, and persisted data, enabling traffic interception or redirection.
  • The attacker can crash or render the appliance unavailable, disrupting load balancing, WAF enforcement, and connection management for dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-8037 is active as soon as the advisory is ingested, with images scanned against the affected version ranges for LoadMaster (V7.2.45.12 through pre-V7.2.54.18 and V7.2.60.0 through pre-V7.2.63.2), ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF (V7.2.60.0 through pre-V7.2.63.2). Given the Critical CVSS score of 9.6 and the zero-authentication, adjacent-network attack surface, this finding is surfaced at the highest urgency tier. For customers who opt into auto-remediation, HarborGuard can rebuild affected images at the fix versions (V7.2.54.18 or V7.2.63.2 as appropriate), execute a regression run, and open a patch PR against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated owner inbox for manual review. Because this vulnerability requires only adjacent-network access and no authentication, network-policy isolation of the affected appliance management interfaces is a recommended compensating control while patching is scheduled.

See how HarborGuard automates this

Fix available

V7.2.54.18V7.2.63.2
Affected packages
  • Progress Software / LoadMaster
    < V7.2.63.2 (from V7.2.60.0) · < V7.2.54.18 (from V7.2.45.12)
  • Progress Software / ECS Connections Manager
    < V7.2.63.2 (from V7.2.60.0)
  • Progress Software / Object Scale Connection Manager
    < V7.2.63.2 (from V7.2.60.0)
  • Progress Software / MOVEit WAF
    < V7.2.63.2 (from V7.2.60.0)
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References