CVE-2026-8037: OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Published Jun 4, 2026
·Updated
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Affected Software
4 affected components
Progress LoadMaster
Progress ECS Connection Manager
Progress Object Scale Connection Manager
Progress Moveit Waf
Event History
Jun 4, 2026
CVE Published
via MITRE·01:13 PM
Data Sourced
via MITRE·01:13 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·02:16 PM
DescriptionSeverityWeakness
Frequently Asked Questions
1
What is the severity of CVE-2026-8037?
CVE-2026-8037 has a critical severity rating of 9.6.
2
How do I fix CVE-2026-8037?
To fix CVE-2026-8037, you should apply the latest security patches provided by Progress for the affected products.
3
What products are affected by CVE-2026-8037?
CVE-2026-8037 affects Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF.
4
What type of vulnerability is CVE-2026-8037?
CVE-2026-8037 is classified as an OS Command Injection Remote Code Execution vulnerability.
5
Who can exploit CVE-2026-8037?
CVE-2026-8037 can be exploited by unauthenticated attackers to execute arbitrary commands on the LoadMaster appliance.