CVE-2026-8037 (CVSS 9.6): Kemp LoadMaster RCE
Progress Kemp LoadMaster devices are subject to active exploitation attempts targeting CVE-2026-8037, a critical operating system (OS) command injection vulnerability. This flaw, assigned a CVSS score of 9.6, allows an unauthenticated attacker to achieve arbitrary code execution on susceptible appliances. The exploitation activity, initially identified by eSentire's Threat Response Unit (TRU), commenced on June 29, 2026.
The vulnerability stems from improper handling of user-supplied input within the LoadMaster's API, specifically impacting the escape_quotes() function. Successful exploitation grants attackers the ability to execute commands on the underlying operating system without requiring prior authentication or valid credentials. This poses a significant risk to the availability and integrity of affected systems and the networks they serve.
With the public availability of a proof-of-concept (PoC) exploit and detailed technical analysis, the volume of malicious activity against CVE-2026-8037 is anticipated to increase. Organizations utilizing Progress Kemp LoadMaster appliances are advised to review their exposure and prioritize immediate remediation efforts to mitigate potential compromise.
Impact
CVE-2026-8037 allows an attacker to achieve remote code execution (RCE) on the affected appliance. This means an unauthenticated attacker can execute arbitrary commands directly on the device's operating system. The nature of a load balancer, such as the Progress Kemp LoadMaster, often places it at a critical junction within an organization's network infrastructure, handling sensitive traffic and managing access to internal resources. Compromise of such a device can therefore lead to broader network infiltration.
The CVSS score of 9.6 demonstrates the severity of this vulnerability. This high score directly reflects its characteristics: an attack vector that is network-based, requires low attack complexity, demands no privileges, and requires no user interaction. The vulnerability severely impacts confidentiality, integrity, and availability because an attacker gaining root-level command execution can exfiltrate data, manipulate system configurations, disrupt services, or establish persistence within the network. Devices exposed to the internet are at immediate and direct risk. Even if LoadMaster instances are not directly internet-facing, an attacker with internal network access could still use this flaw. Robust network segmentation is crucial. This situation is reminiscent of other critical RCE vulnerabilities, such as those described in our analysis of the actively exploited Ivanti Sentry CVE-2026-10520 RCE.
Exploitation chain
The exploitation chain for CVE-2026-8037 begins with an unauthenticated attacker sending specially crafted requests to the /accessv2 endpoint of a vulnerable Progress Kemp LoadMaster appliance. The underlying weakness is an OS command injection flaw rooted in the escape_quotes() function within the load balancer's application programming interface (API). This function is designed to sanitize user-supplied input, but it fails to properly null-terminate sanitized strings.
This failure in null-termination leads to an out-of-bounds read into adjacent heap memory. An attacker can exploit this memory corruption vulnerability by carefully crafting input. By manipulating the heap memory through specific request parameters, the attacker can then inject and execute arbitrary commands on the LoadMaster appliance. The attack requires no prior authentication, meaning any attacker with network access to the /accessv2 endpoint can attempt to exploit this flaw.
Active exploitation attempts have been observed in the wild since June 29, 2026, by eSentire's Threat Response Unit. While these initial attempts reportedly ended in failure, preventing any post-compromise activity, the availability of detailed technical analysis and a public proof-of-concept (PoC) exploit significantly increases the likelihood of more widespread and successful exploitation. The presence of a public PoC lowers the technical barrier for adversaries, making it accessible to a wider range of threat actors. This scenario aligns with patterns seen in other high-impact, unauthenticated RCE vulnerabilities like CVE-2026-5027 in Langflow, where PoC availability quickly accelerated exploitation. The vulnerability also impacts systems managed by Progress, following other unauthenticated access issues like CVE-2026-7312 in Sitefinity, which also involved credentials exposure for a Progress product.
Affected products and versions
The vulnerability CVE-2026-8037 impacts susceptible devices running Progress Kemp LoadMaster.
While the provided research references a Progress security bulletin from June 2026 that addresses this vulnerability, specific product versions affected by CVE-2026-8037 were not explicitly detailed. Organizations should consult the official Progress security bulletin released in June 2026 for full information regarding all affected versions and the corresponding security updates. It is generally understood that all versions preceding the patch released in June 2026 are considered vulnerable.
Detection
Detecting CVE-2026-8037 exploitation attempts requires vigilant monitoring of network traffic, web server logs, and system processes on Progress Kemp LoadMaster appliances.
- Network Indicators:
- Monitor incoming connections to LoadMaster appliances from the following IP addresses, which have been observed engaging in exploitation attempts:
- 192.42.116[.]58
- 192.42.116[.]105
- 146.70.139[.]154
- Look for unusual or abnormally high traffic volumes targeting the
/accessv2endpoint. - Observe unexpected outbound network connections initiated by the LoadMaster appliance, which could indicate successful command execution and beaconing by an attacker.
- Log Signatures:
- Review LoadMaster web server access logs for requests to the
/accessv2endpoint containing anomalous characters or patterns indicative of command injection attempts (e.g., semicolons, backticks, dollar signs, or shell commands within URL parameters or POST data). - Analyze system logs for unexpected process creation or command execution on the LoadMaster appliance, particularly processes not typically associated with normal load balancer operations.
- Endpoint Detection and Response (EDR) Queries (if applicable):
- If EDR solutions are deployed on the underlying operating system of the LoadMaster appliance, configure queries to detect:
- Execution of unusual shell commands or binaries (e.g.,
bash,sh,nc,curl,wget) by the web server process. - Spawning of child processes from the LoadMaster application that are not part of its standard operational scope.
- Changes to critical system files or configurations.
- Deviations from baseline configurations.
Remediation
Prompt remediation is critical to protect against the active exploitation of CVE-2026-8037.
- Patching:
- Immediately apply the latest security updates and patches released by Progress for Kemp LoadMaster.
- The vulnerability is addressed in a security bulletin issued by Progress in June 2026.
- Refer to the official Progress documentation for the specific patch versions applicable to your deployed LoadMaster models.
- Establish a regular patch management schedule for all network infrastructure devices, including load balancers.
- Workarounds and Mitigations (Prior to Patching or as Defense-in-Depth):
- Restrict Network Access: Limit network access to the LoadMaster's management interface and API endpoints (including
/accessv2) to trusted IP addresses and internal management networks only. Utilize firewall rules and network segmentation to prevent direct exposure of these interfaces to the internet. - Implement Web Application Firewall (WAF) Rules: Deploy a WAF in front of the LoadMaster and configure rules to detect and block requests containing known command injection patterns or suspicious input to the
/accessv2endpoint. This can provide an additional layer of protection, though it is not a substitute for patching. - Monitor System Logs: Continuously monitor LoadMaster system and access logs for any indicators of compromise or attempted exploitation as described in the "Detection" section.
- Review Network Segmentation: Ensure robust network segmentation is in place to minimize the lateral movement an attacker could achieve if a LoadMaster appliance were compromised.
Technical Takeaways
- CVE-2026-8037 is a critical, pre-authentication OS command injection vulnerability in Progress Kemp LoadMaster, carrying a CVSS score of 9.6.
- The flaw resides in the
escape_quotes()function's improper null-termination, leading to an out-of-bounds read and subsequent heap memory manipulation for command injection. - Exploitation requires no authentication, allowing attackers with network access to the
/accessv2endpoint to execute arbitrary commands on the appliance. - Active exploitation attempts have been observed since June 29, 2026, and a public proof-of-concept (PoC) exploit is available, increasing the immediate threat level.
- The primary remediation involves applying the security updates released by Progress in their June 2026 security bulletin, supplemented by network access restrictions and vigilant monitoring.