Emergency Security Bulletin: API in Progress ADC Products

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

CVE-2026-8037 is a critical remote code execution vulnerability affecting multiple Progress ADC products, including LoadMaster and MOVEit WAF. The flaw allows unauthenticated attackers to execute operating system commands through vulnerable API endpoints, potentially leading to full appliance compromise. With public exploit details available and exploitation attempts observed, organizations should prioritize patching exposed systems.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products

Identifier: CVE-2026-8037
PoC or Exploitation:
Public technical research and proof-of-concept exploit details are available for CVE-2026-8037, demonstrating exploitation techniques against affected Progress ADC products. eSentire's Threat Response Unit (TRU) identified exploitation attempts targeting CVE-2026-8037 beginning on June 29, 2026.

CVSS Score: 9.6 (Critical, CVSS v3.1)

Update / Patch:
Progress has released security updates addressing CVE-2026-8037.

Affected Products:

  • Progress LoadMaster
  • Progress ECS Connection Manager
  • Progress Object Scale Connection Manager
  • Progress MOVEit WAF

Affected Versions:

  • Progress LoadMaster V7.2.60.0 through versions earlier than V7.2.63.2
  • Progress LoadMaster V7.2.45.12 through versions earlier than V7.2.54.18 (LTSF)
  • Progress ECS Connection Manager V7.2.60.0 through versions earlier than V7.2.63.2
  • Progress Object Scale Connection Manager V7.2.60.0 through versions earlier than V7.2.63.2
  • Progress MOVEit WAF V7.2.60.0 through versions earlier than V7.2.63.2

Fixed Versions:

  • Progress ADC products V7.2.63.2 and later
  • Progress LoadMaster LTSF V7.2.54.18 and later

Vendor advisory and patch guidance:

https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691

Description:
CVE-2026-8037 is a critical OS command injection vulnerability affecting the API of several Progress ADC products, including Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF.

An unauthenticated attacker with network access to a vulnerable appliance can submit specially crafted requests to vulnerable API endpoints and execute arbitrary operating system commands.

Successful exploitation may allow attackers to execute commands with elevated privileges, compromise the affected appliance, modify configurations, access sensitive information, disrupt application delivery services, establish persistence, or use the compromised device as a pivot point for further attacks within the network.

Mitigation Recommendation:
Immediately upgrade all affected Progress ADC products to the appropriate fixed version.

Prioritize remediation of internet-facing LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF deployments.

Restrict administrative and API access to trusted management networks whenever possible.

Review appliance logs and API activity for suspicious command execution attempts, unexpected configuration changes, unauthorized administrative actions, or anomalous outbound network connections.

Investigate unusual process execution, system modifications, or appliance instability that may indicate compromise.

Conduct compromise assessments on exposed appliances, particularly those accessible from untrusted networks.