About:
CVE-2026-8037 is a critical remote code execution vulnerability affecting multiple Progress ADC products, including LoadMaster and MOVEit WAF. The flaw allows unauthenticated attackers to execute operating system commands through vulnerable API endpoints, potentially leading to full appliance compromise. With public exploit details available and exploitation attempts observed, organizations should prioritize patching exposed systems.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Identifier: CVE-2026-8037
PoC or Exploitation:
Public technical research and proof-of-concept exploit details are available for CVE-2026-8037, demonstrating exploitation techniques against affected Progress ADC products. eSentire's Threat Response Unit (TRU) identified exploitation attempts targeting CVE-2026-8037 beginning on June 29, 2026.
Update / Patch:
Progress has released security updates addressing CVE-2026-8037.
Affected Products:
Affected Versions:
Fixed Versions:
Vendor advisory and patch guidance:
Description:
CVE-2026-8037 is a critical OS command injection vulnerability affecting the API of several Progress ADC products, including Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF.
An unauthenticated attacker with network access to a vulnerable appliance can submit specially crafted requests to vulnerable API endpoints and execute arbitrary operating system commands.
Successful exploitation may allow attackers to execute commands with elevated privileges, compromise the affected appliance, modify configurations, access sensitive information, disrupt application delivery services, establish persistence, or use the compromised device as a pivot point for further attacks within the network.
Mitigation Recommendation:
Immediately upgrade all affected Progress ADC products to the appropriate fixed version.
Prioritize remediation of internet-facing LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF deployments.
Restrict administrative and API access to trusted management networks whenever possible.
Review appliance logs and API activity for suspicious command execution attempts, unexpected configuration changes, unauthorized administrative actions, or anomalous outbound network connections.
Investigate unusual process execution, system modifications, or appliance instability that may indicate compromise.
Conduct compromise assessments on exposed appliances, particularly those accessible from untrusted networks.