Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
Progress Kemp LoadMaster flaw allows unauthenticated root command execution via API.
Summary
A critical vulnerability (CVE-2026-8037) in Progress Kemp LoadMaster allows unauthenticated attackers to execute arbitrary root commands by exploiting a flaw in the API's input sanitization. A patch is available, and while no exploitation has been reported, a proof-of-concept is public. This follows a pattern of critical vulnerabilities in LoadMaster and Progress's MOVEit software.
Full text
Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth Swati KhandelwalJun 30, 2026Vulnerability / API Security A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now. Progress published its advisory on June 4 and says it has not received any reports of exploitation. On June 29, researchers at watchTowr Labs published a detailed technical write-up that walks through the full exploit chain. What the Flaw Does LoadMaster is an application delivery controller and load balancer used by enterprises to manage traffic across servers. It sits at the network edge, which makes any pre-auth flaw in it especially dangerous. The vulnerability lives in a function called escape_quotes(), which is supposed to sanitize user input before it gets passed into a shell command. The function's job is to escape single quotes so that an attacker cannot break out of a quoted string and inject commands. The problem: it allocated a memory buffer without clearing it first and never wrote a null terminator at the end of the sanitized string. That missing terminator is the whole exploit. Without it, the system keeps reading past the end of the sanitized input into whatever data happens to sit next to it in memory. An attacker can control what sits there by stuffing extra JSON keys into the same API request, each carrying a command injection payload. The system reads the sanitized input, keeps going, hits the attacker's payload, and executes it. The attack targets the /accessv2 endpoint, which handles API credential validation. The attacker sends a JSON body with a specially crafted apiuser value and dozens of extra key-value pairs sprayed with the command they want to run. No valid credentials are needed. The command runs as root. Affected Versions and Fix The flaw affects LoadMaster GA v7.2.63.1 and older, and LTSF v7.2.54.17 and older, when the API is enabled. Progress has released fixed versions: GA v7.2.63.2 and LTSF v7.2.54.18. The patch itself is minimal. Two changes: the memory allocation function was swapped from one that leaves the buffer uninitialized to one that zero-fills it, and an explicit null terminator was added after the escaped output. Two lines of code that close a path to the root. The vulnerability was discovered by Syed Ibrahim Ahmed of TrendAI Research and reported to Progress through the Zero Day Initiative on April 15, 2026. ZDI coordinated the public advisory release on June 9. watchTowr Labs independently analyzed the patch diff and published their own full technical breakdown with a working proof of concept on June 29. Progress also patched a second, high-severity flaw in the same advisory: CVE-2026-33691, a WAF bypass where whitespace padding in filenames could circumvent file upload extension checks. A Pattern Worth Watching This is not LoadMaster's first critical flaw. In November 2024, CISA added a previous LoadMaster command injection flaw (CVE-2024-1212, CVSS 10.0) to its Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild. In April 2026, Progress patched five more high-severity LoadMaster flaws, four of them command injection issues. Progress is also the maker of MOVEit, whose 2023 vulnerabilities fueled a mass exploitation campaign by the Cl0p ransomware group. The Canadian Centre for Cyber Security has also issued an advisory urging administrators to apply the updates. No attacks on CVE-2026-8037 have been reported yet. A working proof of concept is now public. Patch, and then ask whether the API needs to be reachable at all. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE API Security, Command Injection, Kemp LoadMaster, Patch Management, Progress, remote code execution, Vulnerability, watchTowr Labs, Zero Day Initiative ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
Indicators of Compromise
- cve — CVE-2026-8037
- cve — CVE-2026-33691
- cve — CVE-2024-1212