CVE-2025-13444
📋 TL;DR
This CVE describes an OS command injection vulnerability in Progress LoadMaster's API that allows authenticated attackers with 'User Administration' permissions to execute arbitrary commands on the appliance. The vulnerability stems from unsanitized input in API parameters, potentially leading to remote code execution. Organizations using affected Progress products (LoadMaster, Connection Manager, MOVEit WAF) are at risk.
💻 Affected Systems
- Progress LoadMaster
- Progress Connection Manager for ObjectScale
- Progress Connection Manager for ECS
- Progress MOVEit WAF
📦 What is this software?
Connection Manager For Objectscale by Progress
View all CVEs affecting Connection Manager For Objectscale →
Loadmaster by Progress
Loadmaster by Progress
Moveit Waf by Progress
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the LoadMaster appliance leading to lateral movement into connected systems, data exfiltration, and persistent backdoor installation.
Likely Case
Attacker gains shell access to the appliance, modifies configurations, steals credentials, and disrupts load balancing services.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and minimal user permissions.
🎯 Exploit Status
Exploitation requires valid credentials with specific permissions. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisories for specific patched versions
Vendor Advisory: https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
Restart Required: Yes
Instructions:
1. Review vendor advisories for affected versions. 2. Apply vendor-provided patches/updates. 3. Restart affected services/appliances. 4. Verify patch application.
🔧 Temporary Workarounds
Restrict API Access
allLimit network access to API endpoints to trusted IPs only
Configure firewall rules to restrict API port access
Implement network segmentation for management interfaces
Reduce User Permissions
allMinimize accounts with 'User Administration' permissions
Review and remove unnecessary admin privileges
Implement least privilege principle
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all API parameters
- Deploy web application firewall (WAF) with command injection rules
🔍 How to Verify
Check if Vulnerable:
Check if running affected Progress products and review version against vendor advisoriesCheck Version:
Check product-specific version commands (varies by product)Verify Fix Applied:
Verify patch version matches vendor recommendations and test API input validation📡 Detection & Monitoring
Log Indicators:
- Unusual API requests with shell metacharacters
- Multiple failed authentication attempts followed by successful login
- Commands executed via API that don't match normal patterns
Network Indicators:
- Unusual outbound connections from LoadMaster appliances
- Traffic to unexpected ports from management interfaces
SIEM Query:
source="loadmaster" AND (api_command INJECT OR suspicious_characters IN request_body)🔗 References
- https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
- https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
- https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
- https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
