On January 12, 2026, Progress Software Corporation released patches that address two high-severity Command Injection vulnerabilities, which could allow remote attackers to execute malicious code on LoadMaster load balancers and MOVEit Web Application Firewalls (WAFs).
The vulnerabilities exist in both the user interface (UI) and application programming interface (API) of the affected products. An attacker, by sending appropriately structured requests to specific endpoints, could execute arbitrary system commands.
These are the bugs classified as CVE-2025-13444 and CVE-2025-13447, which have a CVSS score of 8.4, and denote a high threat to organizations that use these tools to ensure the security and deployment of applications.
If exploited, these “UI/API Command Injection Remote Code Execution” vulnerabilities could grant an attacker complete control of the appliance. Progress reported, “All vulnerable systems should still be properly patched to prevent exploitation of these vulnerabilities.” It added , “We have not received reports of exploitation of these vulnerabilities and are not aware of any direct operational impact to customers.”
The security update covers a wide range of deployments, including standard LoadMaster appliances, long-term support firmware (LTSF), and multi-tenant environments.
Administrators are encouraged to immediately update to the following versions:
For organizations using LoadMaster Multi-Tenant (LoadMaster MT), the patching process requires a two-step approach.
The advisory highlights a specific distinction in how components are affected: “The MT hypervisor or Manager node is vulnerable to CVE-2025-13444 (only) and should be patched using the update listed above as soon as possible.”
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
