Progress Software has fixed a slew of high-severity vulnerabilities in MOVEit WAF and LoadMaster, including a flaw (CVE-2026-21876) that may allow attackers to bypass firewall detection.
MOVEit WAF (web application firewall) is designed to protect Progress’s managed file transfer platform MOVEit Transfer from web-based attacks. (A zero-day vulnerability in MOVEit Transfer was infamously exploited in 2023 by the Cl0p cyber extortion gang to grab data from hundreds of organizations.)
LoadMaster is the company’s general-purpose enterprise application delivery controller and load balancer, and also comes with a built-in web application firewall.
The vulnerabilities fixed in both solutions include:
- Four OS command injection vulnerabilities (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048) that can lead to remote code execution by authenticated attackers
- A bug (CVE-2026-21876) in the OWASP core rule set (CRS), which is a set of generic attack detection rules used by most web application firewalls. The bug allows remote, unauthenticated attackers to bypass WAF detection by sending a specially crafted HTTP multipart request with an encoded malicious payload.
CVE-2026-21876 was flagged in early January 2026 by a security researcher who goes by Daytrift Newgen and was fixed by the OWASP CRS team soon after, in CRS versions 4.22.0 and CRS 3.3.8.
“The vulnerability demonstrates the complexity of WAF rule development and the importance of understanding subtle engine behaviors when working with chained rules and collection variables,” the CRS team noted, and said that the bug “is trivial to exploit once known.”
PoC exploits for CVE-2026-21876 have since been made public.
What to do?
Progress Software fixed all five vulnerabilities in:
- Progress MOVEit WAF v7.2.63.0
- Progress Kemp LoadMaster v7.2.63.1
- Progress Kemp LoadMaster LTSF v7.2.54.17
- Progress ECS Connection Manager v7.2.63.1
- Progress Connection Manager for ObjectScale v7.2.63.1
The company says they are unaware of reports of these flaws being exploited, but nevertheless “strongly recommend” customers to upgrade to a fixed version of the solutions.
“MOVEit Cloud has already been upgraded to the patched version, so no further action is needed by MOVEit Cloud customers,” Progress noted.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
