Progress Software Patches Critical Vulnerabilities in MOVEit WAF and LoadMaster Progress Software has addressed multiple high-severity vulnerabilities in its MOVEit WAF and LoadMaster products, including a flaw that could allow attackers to bypass web application firewall (WAF) protections. The vulnerabilities affect MOVEit WAF, a security layer for the company’s managed file transfer platform (previously targeted in the 2023 Cl0p ransomware attacks), and LoadMaster, an enterprise application delivery controller with built-in WAF capabilities. Among the fixed issues: - Four OS command injection flaws (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048) enabling remote code execution by authenticated attackers. - CVE-2026-21876, a critical bug in the OWASP Core Rule Set (CRS) a widely used WAF rule framework that permits unauthenticated attackers to bypass detection via crafted HTTP multipart requests. The flaw was discovered in early January 2026 by researcher Daytrift Newgen and patched in CRS versions 4.22.0 and 3.3.8. The OWASP team described the exploit as "trivial" once known, with public proof-of-concept (PoC) code now available. Progress Software released fixes in the following versions: - MOVEit WAF v7.2.63.0 - LoadMaster v7.2.63.1 - LoadMaster LTSF v7.2.54.17 - ECS Connection Manager v7.2.63.1 - Connection Manager for ObjectScale v7.2.63.1 While no active exploitation has been reported, the company urged customers to upgrade immediately. MOVEit Cloud environments have already been patched, requiring no further action from those users. The incident underscores ongoing risks in WAF rule development and the potential for evasion techniques in security controls.

A newly discovered denial-of-service vulnerability (CVE-2025-52891) in ModSecurity's WAF engine affects versions 2.9.8, 2.9.9, and 2.9.10 when SecParseXmlIntoArgs is enabled. The flaw, caused by improper handling of empty XML tags, leads to segmentation faults and complete service disruption. Exploitation requires no authentication and can be executed remotely, causing server crashes and manual restarts. While the CVSS score is moderate (6.5/10), the impact is severe for affected systems, particularly those in critical sectors like government and commercial WAF vendors. Mitigation includes disabling SecParseXmlIntoArgs or applying an upcoming patch. The vulnerability highlights ongoing security challenges in WAFs, emphasizing the need for vigilance and prompt patching.