Vulnerability

CVE-2026-8037: Critical Pre-Auth RCE in Progress Kemp LoadMaster Puts Enterprise Networks at Risk

dark6 1 July 2026
Read Time:3 Minute, 14 Second

A critical unauthenticated remote code execution vulnerability has been disclosed in Progress Kemp LoadMaster, one of the most widely deployed load balancers and application delivery controllers in enterprise environments. Tracked as CVE-2026-8037 and carrying a CVSS score of 9.8, the flaw allows any attacker with network access to the device’s API endpoint to execute arbitrary system commands without providing login credentials of any kind.

What Is Progress Kemp LoadMaster?

Progress Kemp LoadMaster is an enterprise-grade application delivery controller trusted by organizations worldwide to manage incoming network traffic, perform SSL/TLS offloading, execute content switching, and provide web application firewall capabilities. Because it sits at the outermost edge of corporate networks, a vulnerability in LoadMaster hands attackers a direct and unobstructed entry point into an organization’s entire infrastructure — no internal security controls need to be bypassed.

Root Cause: A Missing Null Terminator

Researchers at WatchTowr Labs identified the root cause and published a detailed technical analysis. The flaw resides inside a function called escape_quotes(), which is responsible for sanitizing user input before it is passed to the system shell. While the function correctly escapes single quotes, older versions of the software failed to add a null terminator at the end of the resulting output buffer.

This seemingly minor oversight creates a dangerous path to exploitation. When a request arrives at the /accessv2 API endpoint, the apiuser value passes through escape_quotes() and gets inserted into a shell command. Because the escaped output buffer has no null terminator, the sprintf function continues reading memory past the intended boundary and into adjacent heap space.

An attacker can exploit this by flooding extra JSON key-value pairs in the same request with a command injection payload, carefully positioning that payload inside an adjacent freed memory chunk. Sending four single quotes as the apiuser value generates sixteen bytes that overwrite allocator metadata in the neighboring chunk, ultimately clearing the path for the injected command to reach the shell and achieve root-level code execution.

Affected Versions

The vulnerability affects the following versions when the API feature is enabled:

  • Kemp LoadMaster GA version 7.2.63.1 and older
  • Kemp LoadMaster LTSF version 7.2.54.17 and older
  • Progress ECS Connection Manager (same underlying flaw)
  • Progress Connection Manager for ObjectScale

Impact and Exploitation Risk

The Zero Day Initiative assigned CVE-2026-8037 a CVSS score of 9.8, reflecting the maximum severity of the exposure. The attack requires no authentication, is fully remote, and grants root-level code execution directly on the compromised appliance. For organizations running LoadMaster at their network perimeter, this exposure is both serious and immediate. Any attacker who can reach the device’s API endpoint — whether through the public internet or from within an internal network — can fully compromise the device.

Patches and Remediation

Progress fixed the flaw by switching from uninitialized malloc allocation to zero-filled calloc memory and by adding the missing null terminator to the escaped output buffer, eliminating the out-of-bounds memory read that made exploitation possible.

Administrators should upgrade immediately to one of the following patched versions:

  • GA version 7.2.63.2
  • LTSF version 7.2.54.18

Organizations without an active maintenance agreement should contact their vendor partner directly. As a temporary mitigation, consider restricting access to the LoadMaster API endpoint via firewall rules to trusted IP ranges only until patching can be completed.

Broader Context

This disclosure follows a broader pattern of critical vulnerabilities targeting network edge appliances. Load balancers, firewalls, and VPN gateways have become high-priority targets for threat actors precisely because they sit at the boundary of corporate networks and are often reachable from the internet. A pre-authenticated RCE at this level of the stack effectively bypasses every downstream security control an organization has deployed. Security teams should treat unpatched LoadMaster instances as a critical, time-sensitive risk and prioritize remediation accordingly.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su CVE-2026-8037: Critical Pre-Auth RCE in Progress Kemp LoadMaster Puts Enterprise Networks at Risk, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community