ByteOS Network

CVE Vulnerability Details :

CVE-2025-13447

PUBLISHED

More Info Official Page

Assigner-ProgressSoftware

Assigner Org ID-f9fea0b6-671e-4eea-8fde-31911902ae05

Published At-13 Jan, 2026 | 14:31

Updated At-26 Feb, 2026 | 15:04

▼CVE Numbering Authority (CNA)

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

Affected Products

Vendor

Progress Software Corporation

Product

LoadMaster

Platforms

LoadMaster Appliance
MOVEit WAF Appliance
ECS Appliance
ObjectScale Appliance

Default Status

unaffected

Versions

Affected

From 7.2.50 before V7.2.62.2 (custom)
From 7.1.32 before V7.2.62.2 (custom)
From 7.2.37 before V7.2.62.2 (custom)
From 7.2.39 before V7.2.62.2 (custom)
From 7.2.50 before V7.2.54.16 (custom)
From 7.1.32 before V7.2.54.16 (custom)
From 7.2.37 before V7.2.54.16 (custom)
From 7.2.39 before V7.2.54.16 (custom)

Problem Types

Type	CWE ID	Description
CWE	Improper	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Type: CWE

CWE ID: Improper

Description: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

Version	Base score	Base severity	Vector
3.1	8.4	HIGH	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Version: 3.1

Base score: 8.4

Base severity: HIGH

Vector:

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Impacts

CAPEC ID	Description
N/A	OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

CAPEC ID: N/A

Description: OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

Credits

finder

Alex Williams from Converge Technology Solutions working with Trend Micro Zero Day Initiative

References

Hyperlink	Resource
https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447	vendor-advisory
https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447	vendor-advisory
https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447	vendor-advisory
https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447	vendor-advisory

Hyperlink: https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447

Resource:

vendor-advisory

Hyperlink: https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447

Resource:

vendor-advisory

Hyperlink: https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447

Resource:

vendor-advisory

Hyperlink: https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References