CVE-2025-13444

High

Published: 13 January 2026

Published

13 January 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0005 14.0th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13444 is a high-severity OS Command Injection (CWE-78) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by enforcing validation of unsanitized API input parameters to block arbitrary command execution.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability comprehensively by requiring timely flaw remediation through vendor patches for the affected LoadMaster API.

AC-6 Least Privilege partial match

prevent

Limits exploitation risk by enforcing least privilege, restricting 'User Administration' permissions to only essential users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in LoadMaster API enables authenticated RCE on appliance (T1190 for vuln exploitation in public-facing service; T1059.004 for arbitrary Unix shell command execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

Deeper analysisAI

CVE-2025-13444 is an OS command injection vulnerability that enables remote code execution in the API of Progress LoadMaster. Published on 2026-01-13, it stems from unsanitized input in API parameters, classified under CWE-78 with a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). The vulnerability affects the LoadMaster appliance, with Progress advisories also associating it with related components such as Connection Manager for ObjectScale, ECS Connection Manager, and MOVEit WAF.

An authenticated attacker possessing “User Administration” permissions can exploit this flaw over an adjacent network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary operating system commands on the LoadMaster appliance, potentially leading to full compromise including high confidentiality, integrity, and availability impacts due to the scoped attack vector.

Progress has issued security advisories detailing CVE-2025-13444 alongside CVE-2025-13447 for affected products, available at community.progress.com articles on LoadMaster, MOVEit WAF, ECS Connection Manager, and Connection Manager for ObjectScale. Security practitioners should review these references for specific patch availability, mitigation steps, and upgrade guidance to address the vulnerability.

Details

CWE(s): CWE-78

Affected Products

progress

connection manager for objectscale

≤ 7.2.62.2

progress

ecs connection manager

≤ 7.2.62.2

progress

loadmaster

≤ 7.2.54.16 · ≤ 7.2.62.2

progress

moveit waf

7.2.62.1

progress

multi-tenant hypervisor

≤ 7.1.35.15

CVEs Like This One

CVE-2025-13447Same product: Progress Ecs Connection Manager

CVE-2026-3518Same product: Progress Connection Manager For Objectscale

CVE-2026-4048Same product: Progress Connection Manager For Objectscale

CVE-2026-4670Same product class: managed file transfer

CVE-2026-3519Same product: Progress Connection Manager For Objectscale

CVE-2025-11235Same product class: managed file transfer

CVE-2024-56132Same product: Progress Loadmaster

CVE-2026-28269Same product class: managed file transfer

CVE-2026-3517Same product: Progress Connection Manager For Objectscale

CVE-2026-5174Same product class: managed file transfer

References

https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
Vendor Advisory · security@progress.com
https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
Vendor Advisory · security@progress.com
https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
Vendor Advisory · security@progress.com
https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447
Vendor Advisory · security@progress.com