This tweet discusses new security patches released by Progress for multiple vulnerabilities found in their MOVEit WAF and LoadMaster products. These vulnerabilities allow attackers to execute remote code, inject operating system commands, and bypass Web Application Firewall (WAF) detection. Specifically, two vulnerabilities identified as CVE-2026-3517 and CVE-2026-3519 affect APIs within Progress ADC products. Progress ADC encompasses various application delivery controllers, including the LoadMaster WAF, used to protect web applications. The bugs are serious since they could allow attackers to compromise servers by executing arbitrary code or commands remotely, or to evade the WAF protection mechanisms. Progress has released patches to fix these flaws, and users of MOVEit WAF and LoadMaster are strongly advised to apply the updates immediately to secure their systems.
Check out the original tweet here: https://twitter.com/riskigy/status/2047677673527210056