Progress Software patches stealthy WAF bypass flaw (CVE-2026-21876)
▼ Summary
– Progress Software fixed five high-severity vulnerabilities in MOVEit WAF and LoadMaster, including CVE-2026-21876, which allows attackers to bypass firewall detection.
– CVE-2026-21876 is a bug in the OWASP core rule set that lets unauthenticated remote attackers bypass WAF detection via a specially crafted HTTP multipart request.
– The four other vulnerabilities are OS command injection flaws (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048) that can lead to remote code execution by authenticated attackers.
– Progress fixed these flaws in versions like MOVEit WAF v7.2.63.0 and LoadMaster v7.2.63.1, and MOVEit Cloud was already upgraded.
– Progress is unaware of exploitation reports but strongly recommends customers upgrade to the patched versions.
Progress Software has released patches addressing multiple high-severity vulnerabilities across its MOVEit WAF and LoadMaster product lines, including a critical bypass flaw tracked as CVE-2026-21876 that could let attackers circumvent firewall protections undetected.
The MOVEit WAF (web application firewall) is built to shield Progress’s managed file transfer platform, MOVEit Transfer, from web-based attacks. This is the same platform infamously exploited in 2023 by the Cl0p ransomware gang, which leveraged a zero-day vulnerability to steal data from hundreds of organizations. Meanwhile, LoadMaster serves as the company’s enterprise application delivery controller and load balancer, also incorporating a built-in web application firewall.
The patch addresses five distinct vulnerabilities. Among them are four OS command injection flaws (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, and CVE-2026-4048) that authenticated attackers could exploit to achieve remote code execution. The most notable issue, CVE-2026-21876, resides in the OWASP core rule set (CRS), a widely used collection of attack detection rules that powers most web application firewalls. This bug allows remote, unauthenticated attackers to bypass WAF detection entirely by sending a specially crafted HTTP multipart request containing an encoded malicious payload.
Security researcher Daytrift Newgen flagged CVE-2026-21876 in early January 2026, and the OWASP CRS team quickly addressed it in versions 4.22.0 and 3.3.8. The CRS team described the vulnerability as highlighting “the complexity of WAF rule development and the importance of understanding subtle engine behaviors when working with chained rules and collection variables.” They further warned that the bug “is trivial to exploit once known.” Public proof-of-concept exploits for CVE-2026-21876 have since emerged.
Progress Software has released fixes for all five vulnerabilities in the following versions: MOVEit WAF v7.2.63.0, Kemp LoadMaster v7.2.63.1, Kemp LoadMaster LTSF v7.2.54.17, ECS Connection Manager v7.2.63.1, and Connection Manager for ObjectScale v7.2.63.1. While the company reports no evidence of active exploitation, it “strongly recommends” customers upgrade to these patched versions. MOVEit Cloud users are already covered, as the service has been upgraded automatically.
(Source: Help Net Security)