Back to advisories

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

A critical pre-auth RCE vulnerability (CVE-2026-8037, CVSS 9.6) in Progress Kemp LoadMaster is actively being exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands via the /accessv2 API endpoint. Any organization running Kemp LoadMaster is at immediate risk.

CRITICALAdvisoryJul 02, 2026
Action required
Identify all Kemp LoadMaster instances in your environment immediately. Apply the latest security patch from Progress. Block the three known attacker IPs if detected in logs. Monitor /accessv2 API endpoint for suspicious requests and command execution activity.
Affected products
Progress SoftwareKemp LoadMastereSentirewatchTowr Labs