Vulnerability Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Progress | Connection Manager For Objectscale* | < 7.2.62.2 |
| Progress | Ecs Connection Manager | < 7.2.62.2 |
| Progress | Loadmaster | < 7.2.54.16 |
| Progress | Moveit Waf | 7.2.62.1 |
| Progress | Multi-Tenant Hypervisor | < 7.1.35.15 |
Related Weaknesses (CWE)
References
- https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-VulnVendor Advisory
- https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-Vendor Advisory
- https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-134Vendor Advisory
- https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-134Vendor Advisory
FAQ
What is CVE-2025-13447?
CVE-2025-13447 is a vulnerability with a CVSS score of 8.4 (HIGH). OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the Load...
How severe is CVE-2025-13447?
CVE-2025-13447 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-13447?
Check the references section above for vendor advisories and patch information. Affected products include: Progress Connection Manager For Objectscale*, Progress Ecs Connection Manager, Progress Loadmaster, Progress Moveit Waf, Progress Multi-Tenant Hypervisor.