Kemp LoadMaster CVE-2026-8037 Unauth RCE (CVSS 9.8)
Progress Kemp LoadMaster is affected by CVE-2026-8037, a vulnerability enabling unauthenticated root command execution on the appliance. This flaw, rated with a CVSS score of 9.8 by ZDI, exists in the appliance's API and allows an attacker to bypass input sanitization mechanisms.
The vulnerability was privately reported in April 2026, with Progress releasing an advisory and patches on June 4, 2026. While Progress has stated no reports of in-the-wild exploitation have been received as of June 30, 2026, a public proof-of-concept (PoC) has since been released by watchTowr Labs, increasing the risk of imminent exploitation.
Organizations utilizing Kemp LoadMaster appliances with the API enabled should patch immediately. The severity of CVE-2026-8037 and the availability of a public PoC require attention to prevent potential system compromise.
Impact
An attacker successfully exploiting CVE-2026-8037 can achieve unauthenticated root-level command execution on the target Progress Kemp LoadMaster appliance. This level of compromise grants complete control over the device, allowing for arbitrary command execution within the appliance's operating system. The CVSS score of 9.8 demonstrates the high severity of this vulnerability.
Kemp LoadMaster acts as an application delivery controller and load balancer, often operating at the network edge and handling external traffic. A pre-authentication root-level compromise of such a device can have wide-ranging effects, including:
- Complete loss of confidentiality, integrity, and availability of the LoadMaster itself.
- Lateral movement into internal networks, as the compromised appliance may have privileged network access.
- Interception, modification, or redirection of legitimate application traffic.
- Establishment of persistent access for further reconnaissance or exfiltration of sensitive data.
- Potential use of the appliance as a beachhead for advanced persistent threats (APTs) or ransomware groups.
Any organization running affected Kemp LoadMaster versions with the API enabled faces significant risk.
How does CVE-2026-8037 enable unauthenticated root command execution?
CVE-2026-8037 is an unauthenticated command injection vulnerability stemming from a flaw in the escape_quotes() function within the Kemp LoadMaster API, compounded by improper memory management. This function is designed to sanitize user-supplied input by escaping single quotes (') before passing the string to a shell command, preventing command injection.
The core of the vulnerability lies in two related issues within escape_quotes():
- Uninitialized Memory Allocation: The function allocates a memory buffer for the sanitized string without first clearing its contents. This means the buffer may contain residual data from previous memory operations.
- Missing Null Terminator: The function fails to write a null terminator (
\0) at the end of the sanitized string.
Without a null terminator, the system's string-handling functions continue reading beyond the intended boundary of the sanitized input, into whatever arbitrary data happens to be located immediately adjacent in memory. An attacker can manipulate this adjacent memory region by "spraying" it with their command injection payload. This is achieved by including numerous additional JSON key-value pairs within the same API request. These extra pairs, while seemingly irrelevant to the API's function, are strategically placed to fill memory areas adjacent to the escape_quotes() buffer with attacker-controlled data. When the system reads past the end of the unterminated sanitized input, it encounters and executes the attacker's injected commands.
The attack specifically targets the /accessv2 endpoint, which is responsible for API credential validation. An attacker sends a specially crafted JSON body where the apiuser value is manipulated to trigger the escape_quotes() flaw. By carefully constructing the request with dozens of additional key-value pairs containing command injection snippets, the attacker can ensure their payload lands in the memory region immediately following the escape_quotes() buffer. As no valid credentials are required to interact with this endpoint for initial processing, the attack is pre-authentication, meaning an attacker does not need to be authenticated to the device. Upon successful execution, the injected command runs with root privileges on the LoadMaster appliance.
The vulnerability was discovered by Syed Ibrahim Ahmed of TrendAI Research, who reported it to the Zero Day Initiative (ZDI) on April 15, 2026. ZDI coordinated the public advisory release with Progress on June 9, 2026. Independent research by watchTowr Labs, published on June 29, 2026, confirmed the exploitability with a detailed technical write-up and a working proof-of-concept. This independent validation and public PoC increase the threat posed by CVE-2026-8037.
Progress patched another high-severity flaw, CVE-2026-33691, in the same advisory. This secondary vulnerability involved a Web Application Firewall (WAF) bypass through whitespace padding in filenames, which could circumvent file upload extension checks. This indicates a need for thorough security review across the LoadMaster codebase. The consistent pattern of vulnerabilities in Progress products, including Kemp LoadMaster and the widely exploited MOVEit Transfer, requires a proactive and strong patching strategy. For additional information on RCE vulnerabilities, our prior analysis of an unauthenticated RCE vulnerability with a CVSS 9.8 score provides further technical detail on similar threat models.
Affected Products and Versions
The CVE-2026-8037 vulnerability impacts Progress Kemp LoadMaster appliances when the API is enabled. Affected versions include:
- Progress Kemp LoadMaster GA v7.2.63.1 and all older GA versions.
- Progress Kemp LoadMaster LTSF v7.2.54.17 and all older LTSF versions.
Organizations operating any of these versions with the API active should consider their systems vulnerable.
What detection methods are applicable for CVE-2026-8037?
Effective detection of exploitation attempts or successful compromise related to CVE-2026-8037 requires monitoring specific indicators on Progress Kemp LoadMaster appliances and associated network traffic.
- API Log Analysis:
- Review LoadMaster API access logs for requests directed at the
/accessv2endpoint originating from unexpected or untrusted IP addresses. - Look for requests to
/accessv2containing an unusually large number of JSON key-value pairs or excessively long string values, indicative of an attempt to spray memory with a command injection payload. - Monitor for attempts to access the API with non-existent or malformed
apiuservalues that precede command execution.
- Process Monitoring:
- Implement monitoring for anomalous child processes spawned by the core LoadMaster services (e.g.,
kemp_webor similar HTTP daemon processes). - Look for the execution of unexpected shell commands (e.g.,
sh,bash), network utilities (curl,wget,nc,socat), or system modification commands (e.g.,useradd,passwd,apt,yum). - Monitor for process execution within directories not typically used by LoadMaster for binaries, such as
/tmpor/var/run.
- Network Indicators of Compromise (IOCs):
- Monitor outbound network connections originating from the LoadMaster appliance to external IP addresses that are not part of its normal operational profile. This could indicate command and control (C2) communication or data exfiltration.
- Look for attempts to establish reverse shells or bind shells on unusual ports.
- Detect unexpected DNS queries or connections to known malicious domains.
- File System Monitoring:
- Monitor for the creation of new, unauthorized files or directories, especially in sensitive locations, which could be part of an attacker's persistence mechanism or staging area.
- Look for modifications to system configuration files or core LoadMaster binaries.
- Endpoint Detection and Response (EDR) Systems:
- Configure EDR solutions deployed within the network segment housing LoadMaster appliances to alert on anomalous process creation, suspicious network connections, or file system changes originating from these systems.
- While LoadMaster appliances may not typically support full EDR agents, network-based EDR or surrounding host-based EDR on adjacent systems can provide valuable contextual alerts.
Given the public availability of a proof-of-concept, establishing strong detection mechanisms is important for identifying potential exploitation attempts. Organizations should consider this alongside applying the available patches. Our prior analysis of a vulnerability in another Progress product demonstrates the need for full monitoring for products by the same vendor.
Remediation
Mitigating the risk associated with CVE-2026-8037 requires immediate action, primarily through patching and, where applicable, implementing controls.
- Apply Patches:
- Upgrade Progress Kemp LoadMaster GA installations to v7.2.63.2 or a newer version.
- Upgrade Progress Kemp LoadMaster LTSF installations to v7.2.54.18 or a newer version.
These patched versions address the uninitialized memory buffer and missing null terminator issues by changing the memory allocation function to one that zero-fills the buffer and explicitly adding a null terminator after the escaped output. This directly closes the command injection vector.
- Workarounds (if immediate patching is not feasible):
- Disable the API: If the Kemp LoadMaster API functionality is not actively used within your environment, disabling it will remove the primary attack vector for CVE-2026-8037. Consult Kemp LoadMaster documentation for specific instructions on disabling the API.
- Restrict Network Access: Implement firewall rules or Access Control Lists (ACLs) to limit network access to the LoadMaster appliance's API endpoint (
/accessv2) to only trusted management IP addresses or specific internal subnets. This reduces the exposure to unauthenticated attackers from the internet or untrusted segments.
- Continuous Monitoring:
- After applying patches, maintain continuous monitoring for any suspicious activity on LoadMaster appliances. This ensures detection of any pre-existing compromises or new attack attempts.
- Regularly review system logs, network traffic, and process activity on LoadMaster devices for indicators of compromise (IOCs) as described in the detection section.
- Ensure all security tooling, including EDR and network anomaly detection, is configured to alert on any unusual behavior originating from LoadMaster systems.
The Canadian Centre for Cyber Security has also issued an advisory urging administrators to apply these updates, reinforcing the importance of this vulnerability.
Technical Takeaways
- CVE-2026-8037 is an unauthenticated command injection vulnerability affecting Progress Kemp LoadMaster appliances with an enabled API.
- The vulnerability, rated with a CVSS score of 9.8, allows attackers to achieve root-level command execution on the appliance.
- The root cause is an uninitialized memory buffer and a missing null terminator in the
escape_quotes()function, allowing attackers to inject commands via adjacent memory spraying in crafted API requests to the/accessv2endpoint. - Affected versions include LoadMaster GA v7.2.63.1 and older, and LTSF v7.2.54.17 and older.
- While no in-the-wild exploitation has been reported as of June 30, 2026, a public proof-of-concept by watchTowr Labs increases the risk of immediate exploitation.
- Remediation involves patching to LoadMaster GA v7.2.63.2 or LTSF v7.2.54.18, or newer versions. Disabling the API or restricting network access serves as a temporary mitigation.