




















Progress Software has fixed a slew of high-severity vulnerabilities in MOVEit WAF and LoadMaster, including a flaw (CVE-2026-21876) that may allow attackers to bypass firewall detection.

MOVEit WAF (web application firewall) is designed to protect Progress’s managed file transfer platform MOVEit Transfer from web-based attacks. (A zero-day vulnerability in MOVEit Transfer was infamously exploited in 2023 by the Cl0p cyber extortion gang to grab data from hundreds of organizations.)
LoadMaster is the company’s general-purpose enterprise application delivery controller and load balancer, and also comes with a built-in web application firewall.
The vulnerabilities fixed in both solutions include:
CVE-2026-21876 was flagged in early January 2026 by a security researcher who goes by Daytrift Newgen and was fixed by the OWASP CRS team soon after, in CRS versions 4.22.0 and CRS 3.3.8.
“The vulnerability demonstrates the complexity of WAF rule development and the importance of understanding subtle engine behaviors when working with chained rules and collection variables,” the CRS team noted, and said that the bug “is trivial to exploit once known.”
PoC exploits for CVE-2026-21876 have since been made public.
Progress Software fixed all five vulnerabilities in:
The company says they are unaware of reports of these flaws being exploited, but nevertheless “strongly recommend” customers to upgrade to a fixed version of the solutions.
“MOVEit Cloud has already been upgraded to the patched version, so no further action is needed by MOVEit Cloud customers,” Progress noted.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。