Security Intelligence
Loading table of contents...
At a glance: Progress Software released patches for critical vulnerabilities affecting MOVEit Web Application Firewall and Kemp LoadMaster, widely used at the enterprise and managed service provider perimeter. The issues could allow authenticated threat actors to execute commands or bypass inspection controls under certain conditions, making timely remediation important for reducing risk.
Threat summary
On April 20, Progress Software released security patches addressing multiple vulnerabilities affecting components across its Application Delivery Controller (ADC) product line, including MOVEit Web Application Firewall (WAF), Kemp LoadMaster, and related connection manager components. The affected versions are:
- Progress Kemp LoadMaster version GA v7.2.62.2 and prior
- Progress Kemp LoadMaster version LTSF v7.2.54.16 and prior
- Progress MOVEit WAF version GA v7.2.62.2 and prior
MOVEit WAF and LoadMaster are commonly deployed at the application and network perimeter to manage, inspect, and secure inbound and outbound traffic for enterprise and managed service provider environments. These platforms often sit in front of business-critical web applications and managed file transfer systems, making them high-value targets if compromised.
The most critical issues are tracked as CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048. These arise from improper input sanitization in application programming interface (API) and user interface components, including administrative API commands and the upload of custom WAF rule files, enabling authenticated threat actors with specific privileges to execute malicious commands on the underlying appliance.
Another flaw, CVE-2026-21876, allows WAF inspection bypass due to flawed multipart HTTP header validation logic, permitting crafted requests to evade detection.
Collectively, under defined conditions, the flaws could enable remote code execution, operating system command injection, or weakening of perimeter inspection controls.
Analysis
Given the perimeter role of these products and prior incidents involving MOVEit Transfer, newly disclosed vulnerabilities in Progress software are likely to attract rapid attention from threat actors once technical details become public.
Upgrading affected MOVEit Web Application Firewall and Kemp LoadMaster systems to the fixed releases provided by Progress reduces the risk of exploitation.
Additional measures may include reviewing and tightening administrative access to affected appliances, with special attention paid to roles required to manage API and custom WAF rules.
Existing WAF configurations, rule files, and administrative activity logs can be reviewed for unexpected changes, as similar Progress vulnerabilities in the past enabled modification of security controls to mask follow-on activity.
Where immediate patching is not feasible, temporarily limiting management interfaces, restricting access to trusted networks, and increasing monitoring for command execution or configuration changes on MOVEit WAF and LoadMaster appliances can help reduce exposure until remediation is completed.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
