Critical Progress Kemp LoadMaster Bug Allows Pre-Auth Remote Code Execution
Key Takeaways A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-8037, has been discovered in Progress Kemp LoadMaster. This flaw allows unauthenticated attackers to...
Key Takeaways
- A critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-8037, has been discovered in Progress Kemp LoadMaster.
- This flaw allows unauthenticated attackers to execute arbitrary commands on affected LoadMaster appliances, which are commonly deployed at enterprise network perimeters.
- The vulnerability carries a CVSS score of 9.8, indicating its severe impact and ease of exploitation.
- Patches are available; organizations must update to GA version 7.2.63.2 or LTSF version 7.2.54.18 immediately.
Critical Vulnerability Exposes Enterprise Networks via Progress Kemp LoadMaster
A severe security flaw within Progress Kemp LoadMaster, identified as CVE-2026-8037, presents a significant risk to global enterprise networks. This vulnerability enables remote, unauthenticated attackers to execute arbitrary system commands directly on vulnerable appliances without requiring any login credentials.
Table Of Content
Kemp LoadMaster serves as a widely utilized load balancer and application delivery controller in corporate environments. Its functions include managing inbound network traffic, offloading SSL/TLS, performing content switching, and providing a built-in web application firewall. Given its typical placement at the network’s edge, this vulnerability offers a direct and unhindered pathway into an organization’s core infrastructure, bypassing internal security measures.
Technical Deep Dive into CVE-2026-8037
Researchers at WatchTowr Labs were instrumental in identifying the root cause of this critical vulnerability, publishing a comprehensive technical analysis. According to WatchTowr Labs report, the flaw stems from improper memory handling within the device’s access executable. Specifically, user-controlled input is not adequately sanitized before being passed to the system shell.
The vulnerability was initially reported to Progress by Syed Ibrahim Ahmed of TrendAI Research. Progress subsequently issued an official advisory on June 4, 2026. The Zero Day Initiative assigned CVE-2026-8037 a CVSS score of 9.8, categorizing it as critical. This high score reflects the pre-authentication nature of the attack, its remote exploitability, and the fact that successful exploitation leads to root-level code execution on the compromised device.
The core of the vulnerability lies within the escape_quotes() function, designed to sanitize user input before its inclusion in shell commands. While this function correctly escapes single quotes, older software versions failed to append a null terminator to the resulting output buffer. This seemingly minor oversight transforms a standard memory handling error into a fully exploitable remote code execution vector.
When a request reaches the /accessv2 API endpoint, the apiuser value is processed by escape_quotes() and then incorporated into a shell command for execution. Without the null terminator in the escaped output buffer, the sprintf function continues reading beyond its intended boundary, encroaching into adjacent heap space. Attackers can leverage this by injecting extra JSON key-value pairs within the same request. This carefully positions a command injection payload into an adjacent, freed memory chunk. By sending four single quotes as the apiuser value, sixteen bytes are generated, overwriting allocator metadata in the neighboring chunk. This clears the path for the injected command to reach the shell, achieving full root-level code execution on the target device.
Affected Versions and Mitigation
The vulnerability impacts Kemp LoadMaster GA version 7.2.63.1 and earlier, as well as LTSF version 7.2.54.17 and earlier, specifically when the API feature is enabled. Progress has addressed the flaw by transitioning from uninitialized malloc allocation to zero-filled calloc memory and by adding the missing null terminator to the escaped output buffer. These changes eliminate the out-of-bounds memory read that enabled exploitation. The fix also extends to Progress ECS Connection Manager and Progress Connection Manager for ObjectScale.
What You Should Do
- Immediately Update: Organizations must upgrade their LoadMaster appliances to GA version 7.2.63.2 or LTSF version 7.2.54.18 without delay.
- Contact Vendor: If your organization lacks an active maintenance agreement, contact your vendor partner to obtain the necessary updates.
- Review Network Edge Security: Given the criticality of devices at the network perimeter, conduct a thorough review of your edge security posture to identify and address any other potential vulnerabilities.
- Monitor API Endpoints: Enhance monitoring for unusual activity on LoadMaster API endpoints, both from external and internal network sources.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.