OS Command Injection in Progress LoadMaster API Affects User Administration
CVE-2025-13444

8.4HIGH

Key Information:

Vendor

Progress Software
Status
Loadmaster
Multi Tenant Loadmaster
Vendor
CVE Published:
13 January 2026

What is CVE-2025-13444?

An OS Command Injection vulnerability exists in the API of Progress LoadMaster. This flaw enables an authenticated attacker with 'User Administration' permissions to execute arbitrary commands on the LoadMaster appliance. The vulnerability arises due to unsanitized input in API parameters, making it possible for malicious input to be processed directly by the system. Immediate mitigation and patching are essential to secure the LoadMaster environment from potential exploitation.

Affected Version(s)

LoadMaster LoadMaster Appliance 7.2.50

LoadMaster LoadMaster Appliance 7.2.50

Multi Tenant LoadMaster Multi Tenant LoadMaster 7.2.39

References

https://community.progress.com/s/article/LoadMaster-Vulne...
vendor-advisory
https://community.progress.com/s/article/ECS-Connection-M...
vendor-advisory
https://community.progress.com/s/article/Connection-Manag...
vendor-advisory

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alex Williams from Converge Technology Solutions working with Trend Micro Zero Day Initiative
.