CVE-2025-13447
Published: 13 January 2026
Summary
CVE-2025-13447 is a high-severity OS Command Injection (CWE-78) vulnerability in Progress Loadmaster. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents OS command injection by requiring validation of unsanitized API input parameters to block arbitrary command execution.
SI-2 ensures timely flaw remediation through patching the specific command injection vulnerability as advised by Progress security updates.
AC-6 least privilege limits exposure by restricting User Administration permissions to only necessary users, reducing the attack surface for authenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in the LoadMaster API enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004) for remote code execution.
NVD Description
OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters
Deeper analysisAI
CVE-2025-13447 is an OS Command Injection vulnerability (CWE-78) in the API of Progress LoadMaster, enabling remote code execution on the LoadMaster appliance. The issue stems from unsanitized input in API parameters, allowing injection of arbitrary OS commands. Published on 2026-01-13, it carries a CVSS v3.1 base score of 8.4 (AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity with adjacent network access required.
An authenticated attacker possessing “User Administration” permissions can exploit the vulnerability over the network from an adjacent segment. By crafting malicious input for vulnerable API parameters, the attacker achieves remote code execution, potentially gaining full control over the LoadMaster appliance, including high confidentiality, integrity, and availability impacts in a scoped manner.
Progress has issued security advisories addressing CVE-2025-13447 alongside CVE-2025-13444 in contexts including LoadMaster, Connection Manager for ObjectScale, ECS Connection Manager, and MOVEit WAF. Mitigation details, such as patches or workarounds, are available in the following community articles: https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447, https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447, https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447, and https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447.
Details
- CWE(s)