Full Report
Progress security advisory (AV26-371)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Progress Kemp LoadMaster and MOVEit WAF
## CVE Details
- **CVE ID:** CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048, CVE-2026-21876
- **CVSS Score:** Not explicitly listed in advisory, but categorized as "Critical" by vendor context.
- **CWE:** Not specified in the summary advisory.
## Affected Systems
- **Products:** Progress Kemp LoadMaster and Progress MOVEit WAF
- **Versions:**
- Progress Kemp LoadMaster: GA v7.2.62.2 and prior
- Progress Kemp LoadMaster: LTSF v7.2.54.16 and prior
- Progress MOVEit WAF: GA v7.2.62.2 and prior
- **Configurations:** Default installations of the versions listed above.
## Vulnerability Description
While the specific technical mechanics of each CVE are not detailed in the high-level summary, these identifiers represent a collection of security flaws affecting the management and delivery interfaces of Kemp LoadMaster and MOVEit WAF. Based on the "Critical" bulletin status, these typically involve remote code execution (RCE), command injection, or unauthorized access bypasses.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild, but categorized as a Critical Security Bulletin.
- **Complexity:** Medium (typical for appliance-based vulnerabilities).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Progress recommends upgrading to the following versions or later:
- **LoadMaster/MOVEit WAF GA:** Upgrade to versions newer than v7.2.62.2.
- **LoadMaster LTSF:** Upgrade to versions newer than v7.2.54.16.
### Workarounds
- Limit access to the management interface to trusted internal networks only.
- Ensure robust firewall rules are in place to restrict unauthorized traffic to the appliance.
## Detection
- **Indicators of compromise:** Monitor for unusual administrative logins or unauthorized configuration changes.
- **Detection methods and tools:** Audit system logs for unexpected command executions or connection attempts from external IP addresses.
## References
- Progress Kemp Advisory: hxxps://community[.]progress[.]com/s/article/LoadMaster-Security-Vulnerabilites-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876
- MOVEit WAF Bulletin: hxxps://community[.]progress[.]com/s/article/MOVEit-WAF-Critical-Security-Bulletin-April-2026-CVE-2026-3517-CVE-2026-3518-CVE-2026-3519-CVE-2026-4048-CVE-2026-21876
- CCCS Advisory: hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/progress-security-advisory-av26-371