Back to advisories

Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

Critical unauthenticated RCE in Progress Kemp LoadMaster (CVE-2026-8037) allows attackers to execute arbitrary root commands via API input sanitization bypass. A public proof-of-concept exists. All LoadMaster instances are at risk unless patched immediately.

CRITICALAdvisoryJun 30, 2026
Action required
Identify all Kemp LoadMaster appliances in your environment and patch to the latest version today. If patching is delayed, implement network-level access controls to restrict API exposure until remediation is complete.
Affected products
LoadMasterProgressMOVEit