Progress CVE coverage for MOVEit, Telerik, OpenEdge, and high-impact enterprise file-transfer or application platforms.
Vendor watch hub
The Progresswatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
Apr 20, 2026, 9:16 AM
Feed refreshes daily · 5:15 a.m. Central
Sources·CISA KEV and NVD (product vendor coverage)
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Showing the 15 most recent items, newest first. Each row links to the official advisory.
15 rows · sorted newest first
Operations viewOS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process.
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command
In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server.
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution.
Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user. Known ransomware use: Known.
Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access.
Progress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system. Known ransomware use: Known.
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. Known ransomware use: Known.
Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process. Known ransomware use: Known.
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
connection manager for objectscale vulnerability (CVE-2026-4048)OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process. connection manager for objectscale | HIGHCVE-2026-4048 Watch | watch | Apr 20, 2026, 9:16 AM | NVDOpen source |
connection manager for objectscale vulnerability (CVE-2026-3519)OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command connection manager for objectscale | HIGHCVE-2026-3519 Watch | watch | Apr 20, 2026, 9:16 AM | NVDOpen source |
connection manager for objectscale vulnerability (CVE-2026-3518)OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command connection manager for objectscale | HIGHCVE-2026-3518 Watch | watch | Apr 20, 2026, 9:16 AM | NVDOpen source |
connection manager for objectscale vulnerability (CVE-2026-3517)OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command connection manager for objectscale | HIGHCVE-2026-3517 Watch | watch | Apr 20, 2026, 9:16 AM | NVDOpen source |
flowmon vulnerability (CVE-2026-3692)In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server. flowmon | HIGHCVE-2026-3692 Watch | watch | Apr 2, 2026, 9:16 AM | NVDOpen source |
sharefile storage zones controller vulnerability (CVE-2026-2701)Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution. sharefile storage zones controller | HIGHCVE-2026-2701 Watch | watch | Apr 2, 2026, 9:16 AM | NVDOpen source |
Progress WhatsUp Gold Path Traversal VulnerabilityProgress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution. WhatsUp Gold | criticalCVE-2024-4885 Critical | active | Mar 2, 2025, 6:00 PM | CISA KEVOpen source |
Progress Kemp LoadMaster OS Command Injection VulnerabilityProgress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution. Kemp LoadMaster | criticalCVE-2024-1212 Critical | active | Nov 17, 2024, 6:00 PM | CISA KEVOpen source |
Progress WhatsUp Gold SQL Injection VulnerabilityProgress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user. Known ransomware use: Known. WhatsUp Gold | criticalCVE-2024-6670 Critical | active | Sep 15, 2024, 7:00 PM | CISA KEVOpen source |
Progress Telerik Report Server Authentication Bypass by Spoofing VulnerabilityProgress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access. Telerik Report Server | criticalCVE-2024-4358 Critical | active | Jun 12, 2024, 7:00 PM | CISA KEVOpen source |
Progress WS_FTP Server Deserialization of Untrusted Data VulnerabilityProgress WS_FTP Server contains a deserialization of untrusted data vulnerability in the Ad Hoc Transfer module that allows an authenticated attacker to execute remote commands on the underlying operating system. Known ransomware use: Known. WS_FTP Server | criticalCVE-2023-40044 Critical | active | Oct 4, 2023, 7:00 PM | CISA KEVOpen source |
Progress MOVEit Transfer SQL Injection VulnerabilityProgress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. Known ransomware use: Known. MOVEit Transfer | criticalCVE-2023-34362 Critical | active | Jun 1, 2023, 7:00 PM | CISA KEVOpen source |
Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data VulnerabilityProgress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process. Known ransomware use: Known. Telerik UI for ASP.NET AJAX | criticalCVE-2019-18935 Critical | active | Nov 2, 2021, 7:00 PM | CISA KEVOpen source |
telerik ui for asp.net ajax vulnerability (CVE-2017-11357)Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. telerik ui for asp.net ajax | CRITICALCVE-2017-11357 Critical | active | Aug 23, 2017, 12:29 PM | CISA KEVOpen source |
sitefinity vulnerability (CVE-2017-9248)Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. sitefinity | CRITICALCVE-2017-9248 Critical | active | Jul 3, 2017, 2:29 PM | CISA KEVOpen source |
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the cybersecurity services pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the Progress-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current Progress issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map Progress advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.