Progress Software Patches Critical Vulnerabilities in MOVEit WAF and LoadMaster
Progress Software has addressed multiple high-severity vulnerabilities in its MOVEit WAF and LoadMaster products, including a flaw that could allow attackers to bypass web application firewall (WAF) protections.
The vulnerabilities affect MOVEit WAF, a security layer for the company’s managed file transfer platform (previously targeted in the 2023 Cl0p ransomware attacks), and LoadMaster, an enterprise application delivery controller with built-in WAF capabilities. Among the fixed issues:
- Four OS command injection flaws (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048) enabling remote code execution by authenticated attackers.
- CVE-2026-21876, a critical bug in the OWASP Core Rule Set (CRS) a widely used WAF rule framework that permits unauthenticated attackers to bypass detection via crafted HTTP multipart requests. The flaw was discovered in early January 2026 by researcher Daytrift Newgen and patched in CRS versions 4.22.0 and 3.3.8. The OWASP team described the exploit as "trivial" once known, with public proof-of-concept (PoC) code now available.
Progress Software released fixes in the following versions:
- MOVEit WAF v7.2.63.0
- LoadMaster v7.2.63.1
- LoadMaster LTSF v7.2.54.17
- ECS Connection Manager v7.2.63.1
- Connection Manager for ObjectScale v7.2.63.1
While no active exploitation has been reported, the company urged customers to upgrade immediately. MOVEit Cloud environments have already been patched, requiring no further action from those users. The incident underscores ongoing risks in WAF rule development and the potential for evasion techniques in security controls.
Source: https://www.helpnetsecurity.com/2026/04/22/progress-waf-bypass-cve-2026-21876/
OWASP CRS cybersecurity rating report: https://www.rankiteo.com/company/owasp-crs
"id": "OWA1776861154",
"linkid": "owasp-crs",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'software',
'name': 'Progress Software',
'type': 'vendor'}],
'attack_vector': ['authenticated OS command injection',
'unauthenticated HTTP multipart requests'],
'date_detected': '2026-01-01',
'description': 'Progress Software has addressed multiple high-severity '
'vulnerabilities in its MOVEit WAF and LoadMaster products, '
'including a flaw that could allow attackers to bypass web '
'application firewall (WAF) protections. The vulnerabilities '
'affect MOVEit WAF and LoadMaster, enabling remote code '
'execution and WAF bypass via crafted HTTP requests.',
'impact': {'systems_affected': ['MOVEit WAF',
'LoadMaster',
'ECS Connection Manager',
'Connection Manager for ObjectScale']},
'investigation_status': 'completed',
'lessons_learned': 'The incident underscores ongoing risks in WAF rule '
'development and the potential for evasion techniques in '
'security controls.',
'post_incident_analysis': {'corrective_actions': ['patches released for '
'MOVEit WAF and LoadMaster',
'OWASP CRS updated to '
'versions 4.22.0 and 3.3.8'],
'root_causes': ['vulnerabilities in WAF rule '
'framework (OWASP CRS)',
'OS command injection flaws']},
'recommendations': ['Upgrade to the latest patched versions of MOVEit WAF and '
'LoadMaster immediately.'],
'references': [{'source': 'Progress Software Advisory'},
{'source': 'OWASP Core Rule Set (CRS) Advisory'},
{'source': 'Researcher Daytrift Newgen'}],
'response': {'communication_strategy': ['urged customers to upgrade '
'immediately'],
'containment_measures': ['patches released'],
'remediation_measures': ['upgrades to fixed versions']},
'stakeholder_advisories': 'Progress Software urged customers to upgrade '
'immediately. MOVEit Cloud environments have '
'already been patched.',
'title': 'Progress Software Patches Critical Vulnerabilities in MOVEit WAF '
'and LoadMaster',
'type': ['vulnerability', 'WAF bypass', 'remote code execution'],
'vulnerability_exploited': ['CVE-2026-3517',
'CVE-2026-3518',
'CVE-2026-3519',
'CVE-2026-4048',
'CVE-2026-21876']}