Cyber Posture

CVE-2025-13447

High

Published: 13 January 2026

Published
13 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0014 34.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents OS command injection by requiring validation of unsanitized API input parameters to block arbitrary command execution.

SI-2 Flaw Remediation good match
preventrecover

SI-2 ensures timely flaw remediation through patching the specific command injection vulnerability as advised by Progress security updates.

AC-6 Least Privilege partial match
prevent

AC-6 least privilege limits exposure by restricting User Administration permissions to only necessary users, reducing the attack surface for authenticated exploitation.

Security SummaryAI

CVE-2025-13447 is an OS Command Injection vulnerability (CWE-78) in the API of Progress LoadMaster, enabling remote code execution on the LoadMaster appliance. The issue stems from unsanitized input in API parameters, allowing injection of arbitrary OS commands. Published on 2026-01-13, it carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity with adjacent network access required.

An authenticated attacker possessing “User Administration” permissions can exploit the vulnerability over the network from an adjacent segment. By crafting malicious input for vulnerable API parameters, the attacker achieves remote code execution, potentially gaining full control over the LoadMaster appliance, including high confidentiality, integrity, and availability impacts in a scoped manner.

Progress has issued security advisories addressing CVE-2025-13447 alongside CVE-2025-13444 in contexts including LoadMaster, Connection Manager for ObjectScale, ECS Connection Manager, and MOVEit WAF. Mitigation details, such as patches or workarounds, are available in the following community articles: https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447, https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447, https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447, and https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447.

Details

CWE(s)
CWE-78

Affected Products

progress
connection manager for objectscale*
≤ 7.2.62.2
progress
ecs connection manager
≤ 7.2.62.2
progress
loadmaster
≤ 7.2.54.16 · ≤ 7.2.62.2
progress
moveit waf
7.2.62.1
progress
multi-tenant hypervisor
≤ 7.1.35.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection in the LoadMaster API enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References