Progress ADC RCE: Authenticated API Flaw Exposes LoadMaster
The National Vulnerability Database has disclosed CVE-2026-3519, a high-severity OS Command Injection vulnerability (CVSS 8.4) affecting Progress ADC products. This flaw resides in an API endpoint, specifically within the ‘aclcontrol’ command, due to unsanitized input.
An authenticated attacker with “VS Administration” permissions can exploit this vulnerability to execute arbitrary commands on the LoadMaster appliance. While requiring prior authentication and specific permissions, the impact is severe, allowing for full system compromise on affected devices. This is a direct path to persistent access and potentially lateral movement within an environment.
Defenders need to treat this with urgency. Given the administrative access required, this vulnerability is likely to be chained with other exploits, such as credential compromise, to gain the initial foothold. It underscores the critical importance of least privilege and robust authentication for network infrastructure components.
What This Means For You
- If your organization uses Progress ADC LoadMaster products, immediately verify the authentication controls around users with "VS Administration" permissions. Audit logs for any suspicious API calls related to 'aclcontrol' commands. Prioritize patching this CVE as soon as a fix is available to prevent authenticated attackers from achieving remote code execution.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule mapped to MITRE ATT&CK. Sigma YAML is free — copy below.
CVE-2026-3519: Progress ADC OS Command Injection via aclcontrol
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-3519 | RCE | Progress ADC Products |
| CVE-2026-3519 | Command Injection | API in Progress ADC Products |
| CVE-2026-3519 | Command Injection | unsanitized input in the 'aclcontrol' command |
| CVE-2026-3519 | Privilege Escalation | authenticated attacker with “VS Administration” permissions |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 20, 2026 at 17:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6652 — The Function Evaluate Of The File App/Modules/View/Src/PhpEn Vulnerability
CVE-2026-6652 — A weakness has been identified in Pagekit CMS up to 1.0.18. This issue affects the function evaluate of the file app/modules/view/src/PhpEngine.php of the...
CVE-2026-6650 — Z-BlogPHP Unrestricted File Upload
CVE-2026-6650 — A vulnerability was identified in Z-BlogPHP 1.7.5. This affects the function App::UnPack of the file /zb_users/plugin/AppCentre/app_upload.php of the component ZBA File Handler. The...
ConnectWise Automate Flaw Exposes Client Traffic to Interception
CVE-2026-6066 — ConnectWise has released a security update for ConnectWise Automate™ that addresses a behavior in the ConnectWise Automate Solution Center where certain client-to-server communications...