Patches WAF bypass and command injection in MOVEit WAF

TL;DR — A WAF detection bypass in the widely-used OWASP Core Rule Set plus multiple command-injection bugs in Progress WAF products increases the risk of missed attacks and authenticated RCE in exposed deployments.

What happened

MOVEit WAF is Progress Software’s web application firewall intended to protect MOVEit Transfer from web attacks, while Kemp LoadMaster is an application delivery controller/load balancer that also includes a built-in WAF.

Help Net Security reports that Progress fixed a set of high-severity vulnerabilities across MOVEit WAF and LoadMaster, including: (1) four OS command injection vulnerabilities that can lead to remote code execution by authenticated attackers (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048), and (2) an OWASP Core Rule Set bug (CVE-2026-21876) enabling remote, unauthenticated attackers to bypass WAF detection using a specially crafted HTTP multipart request with an encoded malicious payload.

The report notes PoC exploits for CVE-2026-21876 are public, and quotes the CRS team that the bug “is trivial to exploit once known.” This is operationally important because WAF rule-set bypasses can invalidate compensating controls teams may be relying on at the edge, especially when combined with internet-facing deployments.

Who is impacted

• Organizations running Progress MOVEit WAF and/or Kemp LoadMaster (including LTSF) that have not applied the vendor’s fixed releases.
• Environments relying on the OWASP Core Rule Set (CRS) as a primary detection/control layer for multipart request attacks.

Additionally, the report states CVE-2026-21876 was fixed by the OWASP CRS team in CRS 4.22.0 and CRS 3.3.8.

What to do now

• Follow vendor remediation guidance and upgrade to a fixed version of the affected solutions. The report quotes Progress as saying they “strongly recommend” customers to upgrade to a fixed version of the solutions.
• If you deploy OWASP CRS independently (outside these appliances), ensure you are running a CRS release that includes the CVE-2026-21876 fix (the report cites CRS 4.22.0 and CRS 3.3.8).
• Treat public PoC availability for CVE-2026-21876 as an exposure multiplier: validate WAF coverage for multipart parsing edge cases and review whether any critical endpoints are depending on WAF-only controls.
• If you are a MOVEit Cloud customer, the report notes Progress stated MOVEit Cloud has already been upgraded to the patched version, and “no further action is needed” for MOVEit Cloud customers.