Published on June 30, 2026

Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth


Severity

Critical

Detail

Progress Software has released security updates to address a critical vulnerability affecting Progress Kemp LoadMaster. The vulnerability, tracked as CVE-2026-8037 that allows an unauthenticated remote attacker to execute arbitrary commands as the root user on affected appliances when the API is enabled.

The vulnerability exists in the escape_quotes() function, which is responsible for sanitizing user input before it is passed to a shell command. The function fails to properly terminate the sanitized string allowing attackers to inject malicious commands that are ultimately executed with root privileges due to improper memory handling.

An attacker can exploit the flaw by sending a specially crafted request to the /accessv2 API endpoint. No authentication or user interaction is required, making the vulnerability particularly dangerous for internet-facing LoadMaster appliances. Although Progress has stated that there is currently no evidence of active exploitation, a public proof-of-concept (PoC) exploit has been released by watchTowr Labs, significantly increasing the risk of exploitation.

CVE IDSummaryCVSS Score
CVE-2026-8037A vulnerability in Progress Kemp LoadMaster allows an unauthenticated remote attacker to execute arbitrary commands as the root user via crafted requests to the API endpoint when the API is enabled.9.8 (Critical)

Affected Products

The vulnerability affects the following Progress Kemp LoadMaster versions when the API is enabled:

  • LoadMaster GA v7.2.63.1 and earlier .
  • LoadMaster LTSF v7.2.54.17 and earlier.

Recommendation

Organizations are strongly advised to take the following actions to mitigate the risk of exploitation and reduce potential impact:

  • Progress recommends upgrading affected systems to the following fixed versions:
  • LoadMaster GA v7.2.63.1 and earlier – Upgrade to v7.2.63.2
  • LoadMaster LTSF v7.2.54.17 and earlier – Upgrade to v7.2.54.18
  • Disable the LoadMaster API if it is not required.
  • Restrict access to the management API using firewall rules or trusted IP addresses.
  • Review systems for indicators of compromise if the appliance was exposed to untrusted networks.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-8037

https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html