Progress ADC Products Face Critical OS Command Injection RCE

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-77
Progress ADC Products Face Critical OS Command Injection RCE

The National Vulnerability Database has detailed CVE-2026-3517, a high-severity OS command injection vulnerability impacting Progress ADC Products. This flaw, rated 8.4 CVSS, allows an authenticated attacker with “Geo Administration” permissions to achieve remote code execution (RCE) on the LoadMaster appliance. The root cause lies in unsanitized input within the ‘addcountry’ command’s API.

This isn’t just another bug; it’s a critical RCE that, while requiring authentication and specific permissions, provides a direct path to appliance compromise. Attackers who gain administrative access, even lower-tier ‘Geo Administration’ privileges, can leverage this to execute arbitrary commands. This escalates a potentially contained compromise into full system control.

Defenders need to treat this with urgency. Organizations utilizing Progress ADC LoadMaster appliances must identify if they are running affected versions. The attacker’s calculus here is straightforward: gain initial access, then exploit this vulnerability for full control. Patching or implementing robust input validation and strict access controls for administrative interfaces are paramount to mitigate this risk.

What This Means For You

  • If your organization uses Progress ADC LoadMaster appliances, immediately verify if your versions are impacted by CVE-2026-3517. Prioritize patching or apply the vendor's recommended mitigations without delay. Audit logs for any suspicious activity related to 'Geo Administration' accounts and ensure strict access controls are in place for all administrative interfaces.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Sigma YAML is free — copy below.

critical T1190 Initial Access

CVE-2026-3517 - Progress ADC addcountry OS Command Injection

Sigma YAML — free preview

Indicators of Compromise

IDTypeIndicator
CVE-2026-3517 RCE Progress ADC Products
CVE-2026-3517 Command Injection API in Progress ADC Products
CVE-2026-3517 Command Injection addcountry command
CVE-2026-3517 Auth Bypass Authenticated attacker with 'Geo Administration' permissions

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 20, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6652 — The Function Evaluate Of The File App/Modules/View/Src/PhpEn Vulnerability

CVE-2026-6652 — A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the...

vulnerabilityCVEmedium-severitycwe-94cwe-95
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6650 — Z-BlogPHP Unrestricted File Upload

CVE-2026-6650 — A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The...

vulnerabilityCVEmedium-severityunrestricted-file-uploadcwe-284cwe-434
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 3 IOCs /⚙ 3 Sigma

ConnectWise Automate Flaw Exposes Client Traffic to Interception

CVE-2026-6066 — ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications...

vulnerabilityCVEhigh-severitycwe-319
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 3 IOCs /⚙ 2 Sigma