Cybersecurity

CVE-2026-8037: Critical Pre-Auth RCE Hits Progress Kemp LoadMaster (Patch Now)

CVE-2026-8037 is a critical (CVSS 9.8) pre-auth remote code execution flaw in Progress Kemp LoadMaster that gives attackers root via a single API request. A public exploit dropped June 29 — here's who's affected and how to patch.

Waqas Ahmed Waseer
Waqas Ahmed Waseer Jul 1, 2026 7 min read
CVE-2026-8037: Critical Pre-Auth RCE Hits Progress Kemp LoadMaster (Patch Now)

A critical flaw in Progress Kemp LoadMaster, tracked as CVE-2026-8037, lets an unauthenticated attacker run commands as root on the load balancer by sending a single crafted request to its API. It carries a CVSS score of 9.8, affects every LoadMaster build up to the June patch, and now has a public proof-of-concept exploit — so the window between "theoretical" and "worming through networks" is closing fast. If you run a LoadMaster with the API enabled, patch it today.

Here's what the bug is, which versions are exposed, how the exploit actually works, and what to do before someone else finds your appliance.

What is CVE-2026-8037?

CVE-2026-8037 is a pre-authentication remote code execution vulnerability in the LoadMaster management API. No credentials, no session, no user interaction — an attacker who can reach the appliance's API endpoint can execute arbitrary shell commands with root privileges. Because LoadMaster is an application delivery controller that usually sits at the network edge, terminating TLS and steering traffic to back-end servers, a root shell on it is close to a worst-case foothold.

The flaw was reported to Trend Micro's Zero Day Initiative by researcher Syed Ibrahim Ahmed on April 15, 2026, and ZDI published its coordinated advisory on June 9. Progress had already shipped a fix on June 4. The reason it's a story now is that on June 29, watchTowr Labs published a full technical breakdown with a working proof of concept — turning an n-day that many admins had ignored into something any competent attacker can now reproduce.

Which LoadMaster versions are affected?

The vulnerability hits both release channels, but only when the LoadMaster API is enabled. If you patched on or after June 4, you're covered; if you haven't touched the box since spring, you're almost certainly exposed.

ChannelAffected versionsPatched versionFix released
GA (General Availability)v7.2.63.1 and earlierv7.2.63.2June 4, 2026
LTSF (Long-Term Support Feature)v7.2.54.17 and earlierv7.2.54.18June 4, 2026

The one mitigating condition is the API. LoadMaster's REST API is not on by default in every deployment, and appliances with the API disabled aren't reachable through this bug. That's the single fastest way to check your exposure: if the API is enabled and internet-facing, treat the box as compromised-until-patched.

How the exploit works

The bug lives in a helper function called escape_quotes(), whose entire job is to make user input safe before it's passed into a shell command. It's supposed to escape single quotes so an attacker can't break out of a quoted string and inject their own commands. Instead, it introduced two subtle memory bugs that together defeat that protection.

First, the function allocated its output buffer with malloc() instead of calloc(), so the memory came back uninitialized — full of whatever bytes were there before, including leftover heap data. Second, after writing the escaped string, it never added a null terminator to mark where the string ends. Downstream, __sprintf_chk() keeps reading past the intended end of the buffer into adjacent heap memory.

That over-read is the whole exploit. The /accessv2 endpoint processes a JSON body with apiuser and apipass fields. An attacker sends four single quotes in apiuser, which expand into 16 escaped bytes and clobber allocator metadata in neighboring freed chunks, while extra JSON key-value pairs spray command payloads across the heap. When the unterminated buffer is read, it runs straight into the sprayed payload, and the command executes through the underlying system() call — as root. Progress's fix is exactly what you'd expect: switch to calloc() for zeroed memory and explicitly null-terminate the string.

Is it being exploited in the wild?

As of July 1, 2026, there is no confirmed in-the-wild exploitation and CVE-2026-8037 is not yet listed in CISA's Known Exploited Vulnerabilities catalog. But that is cold comfort. The gap between a public PoC and mass scanning is now routinely measured in hours to days, not weeks — edge appliances get fingerprinted by internet-wide scanners almost immediately after a write-up drops. A CVSS 9.8 pre-auth root RCE on an internet-facing load balancer, with working exploit code already circulating, is exactly the profile that ransomware affiliates and initial-access brokers race to weaponize. Treat "not yet exploited" as "not yet your turn."

What to do right now

The remediation is unglamorous and urgent:

  • Patch immediately to GA v7.2.63.2 or LTSF v7.2.54.18 (or later). This is the only real fix.
  • If you can't patch this instant, disable the LoadMaster API or restrict it to a trusted management network. The bug is unreachable when the API is off, and it should never be exposed to the public internet regardless.
  • Assume breach on any box that sat unpatched while internet-facing. Rotate credentials and TLS keys the appliance handled, and hunt for unexpected processes, cron jobs, or config changes — a root shell means an attacker could have persisted before you patched.
  • Segment your management plane. Admin APIs on edge appliances belong behind a VPN or bastion, not open to the world. This is the same lesson our zero trust vs VPN breakdown keeps coming back to: never trust the network edge by default.

Why edge appliances keep being the soft spot

CVE-2026-8037 isn't an isolated slip — it's the latest entry in a pattern that has defined enterprise breaches for three years. Citrix NetScaler, Ivanti Connect Secure, Fortinet FortiOS, F5 BIG-IP: the devices that live at the perimeter, speak custom C, and rarely get rebooted are the ones attackers mine hardest, because one flaw yields pre-auth root at the exact chokepoint where all the traffic flows. Load balancers and gateways are ancient codebases wearing a modern web UI, and memory bugs like this uninitialized-heap slip are endemic to that C plumbing.

The defensive takeaway isn't "buy a different appliance." It's operational: inventory every edge device and its firmware version, subscribe to the vendor's security feed so you learn about a fix on day zero rather than day 25, keep management interfaces off the public internet, and patch edge gear on a faster clock than the rest of your fleet. The organizations that got burned by the npm supply-chain crisis and by every NetScaler wave before it had the same root cause — a patch existed and nobody applied it in time. LoadMaster is handing you the patch three weeks early. Use the lead.

FAQ

Is CVE-2026-8037 being actively exploited? No confirmed in-the-wild exploitation had been reported as of July 1, 2026, and it isn't in CISA's KEV catalog yet. But a working public proof of concept exists as of June 29, so exploitation attempts against exposed, unpatched appliances should be considered imminent.

How do I know if my LoadMaster is vulnerable? Check your LMOS version and whether the API is enabled. GA builds v7.2.63.1 and earlier, and LTSF builds v7.2.54.17 and earlier, are vulnerable when the API is on. If the API is disabled, this specific bug isn't reachable.

What version fixes it? Progress released the fix on June 4, 2026: upgrade to GA v7.2.63.2 or LTSF v7.2.54.18 (or newer). The patch replaces the faulty memory allocation and adds the missing null terminator.

What can an attacker do with it? Run arbitrary commands as root on the load balancer without authenticating — full control of an appliance that typically terminates TLS and routes internal traffic. That makes it a launchpad for intercepting traffic, pivoting into the internal network, and deploying ransomware.

Can I mitigate without patching? Temporarily, yes: disable the LoadMaster API or restrict it to a trusted management network so the vulnerable /accessv2 endpoint isn't reachable. This is a stopgap — apply the official patch as soon as you can.

Sources

Some links may earn us a commission at no extra cost to you.

Waqas Ahmed Waseer

Waqas Ahmed Waseer

Waqas Ahmed Waseer is a developer and automation builder with 8+ years shipping production systems used by 100k+ people. He builds custom multi-tenant SaaS, AI automation (n8n, LLM workflows, WhatsApp bots) and hosting infrastructure (WHM/cPanel, CloudLinux) — and is the maker of WaSphere, FlowMaticX, and the WaseerHost hosting brand. 100+ projects delivered for SMBs, agencies and funded startups.

Related

More in Cybersecurity

View all

Discussion · 0

Be kind. Comments are public.

    Newsletter · Monday edition

    The Monday brief.

    One email every Monday morning. The week ahead in AI, startups, hosting and dev tools — no fluff, no sponsored bait.

    Free. Unsubscribe in one click.