Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts
Progress Kemp LoadMaster pre-auth RCE (CVE-2026-8037) under active exploitation
Summary
A critical pre-authentication remote code execution vulnerability (CVE-2026-8037, CVSS 9.6) in Progress Kemp LoadMaster is facing active exploitation attempts since June 29, 2026. The flaw stems from improper input sanitization in the escape_quotes() function affecting the /accessv2 API endpoint, allowing unauthenticated attackers to execute arbitrary OS commands via heap memory manipulation. eSentire observed multiple exploitation attempts from three distinct IP addresses, though initial efforts failed to achieve post-compromise activity.
Full text
Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts Ravie LakshmananJul 01, 2026Vulnerability / Network Security A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve arbitrary code execution on susceptible devices. The exploitation activity commenced on June 29, 2026. "OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an unauthenticated attacker with permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input," Progress said in an advisory for the vulnerability released early last month. In an analysis published this week, watchTowr Labs described the flaw as rooted in a function named "escape_quotes()" within the load balancer application and that it stems from improper handling of user-supplied input. The problem was that the function failed to properly null-terminate sanitized strings, thereby leading to an out-of-bounds read into adjacent heap memory. An attacker could weaponize this loophole to issue specially crafted requests to the "/accessv2" endpoint that manipulate the heap memory to enable command injection. The impact of successful exploitation is severe, as it allows an unauthenticated attacker to run arbitrary commands on the affected appliance without having to possess valid credentials. eSentire noted that exploitation efforts it observed ended in failure, as a result of which no post-compromise activity occurred. However, the availability of a proof-of-concept (PoC) exploit and detailed technical specifics is expected to drive malicious activity against CVE-2026-8037 in the immediate future. The attack attempts originate from the following IP addresses - 192.42.116[.]58 192.42.116[.]105 146.70.139[.]154 CVE-2026-8037 is the second Progress Progress Kemp LoadMaster flaw to witness active exploitation efforts after CVE-2024-1212 (CVSS score: 10.0), another critical OS command injection vulnerability that could be abused for arbitrary system command execution. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE API Security, Command Injection, cybersecurity, network security, remote code execution, Threat Intelligence, Vulnerability ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
Indicators of Compromise
- cve — CVE-2026-8037
- cve — CVE-2024-1212
- ip — 192.42.116.58
- ip — 192.42.116.105
- ip — 146.70.139.154