A critical security vulnerability in Progress Kemp LoadMaster has put enterprise networks across the globe at serious risk.
Tracked as CVE-2026-8037, the flaw allows an unauthenticated remote attacker to execute arbitrary system commands directly on affected appliances, with absolutely no login credentials required to do so.
Kemp LoadMaster is a widely deployed load balancer and application delivery controller trusted by enterprise environments around the world.
It manages incoming network traffic, handles SSL and TLS offloading, performs content switching, and includes a built-in web application firewall designed to guard against common threats.
Since it typically sits at the outermost edge of corporate networks, a vulnerability of this nature hands attackers a direct and completely unobstructed path into an organization’s infrastructure without needing to overcome any additional internal security controls.
Researchers at WatchTowr Labs identified the root cause of the vulnerability and published a thorough technical breakdown of exactly how it works.
According to WatchTowr Labs report shared with Cyber Security News (CSN), the bug originates from a flawed memory handling routine inside the device’s access executable, where user-controlled input is not properly sanitized before being passed on to the system shell.
The flaw was first reported to Progress by researcher Syed Ibrahim Ahmed of TrendAI Research, and the vendor published its official advisory on June 4, 2026.
The Zero Day Initiative assigned CVE-2026-8037 a CVSS score of 9.8, placing it firmly in the critical severity category.
This score reflects the fact that no authentication is required, the attack is fully remote, and successful exploitation grants an attacker root-level code execution directly on the compromised appliance.
For organizations running LoadMaster at their network perimeter, the exposure is both serious and immediate, and any delay in patching only increases the overall window of risk.
Progress has since released patched firmware versions that fully resolve the issue. Organizations that have not yet applied those updates remain exposed to any attacker who can reach the device’s API endpoint, whether that access comes through the public internet or from somewhere deeper within the internal network.
Critical Progress Kemp LoadMaster Vulnerability
The vulnerability resides inside a function called escape_quotes(), which sanitizes user input before it is passed to a shell command.
The function correctly escapes single quotes in user input, but in older versions of the software it failed to add a null terminator at the end of the resulting output buffer.
That seemingly small oversight transforms a routine memory handling error into a dangerous and fully exploitable remote code execution path.
When a request arrives at the /accessv2 API endpoint, the apiuser value passes through escape_quotes() and gets inserted into a shell command the system then executes.
Since the escaped output buffer has no null terminator, the sprintf function keeps reading memory past the intended boundary and into adjacent heap space.
An attacker exploits this by flooding extra JSON key-value pairs in the same request with a command injection payload, carefully positioning that payload inside an adjacent freed memory chunk.
Sending four single quotes as the apiuser value generates sixteen bytes that overwrite allocator metadata in the neighboring chunk, clearing the path for the injected command to reach the shell and achieve full root-level code execution on the target device.
Affected Versions and Recommended Actions
The vulnerability affects Kemp LoadMaster GA version 7.2.63.1 and older, along with LTSF version 7.2.54.17 and older, specifically when the API feature is enabled on the device.
Progress fixed the flaw by switching from uninitialized malloc allocation to zero-filled calloc memory and by adding the missing null terminator to the escaped output buffer, which eliminates the out-of-bounds memory read that made exploitation possible.
Administrators are strongly encouraged to upgrade immediately to GA version 7.2.63.2 or LTSF version 7.2.54.18. The same fix also extends to Progress ECS Connection Manager and Progress Connection Manager for ObjectScale.
Organizations without an active maintenance agreement should contact their vendor partner directly to obtain the update and ensure their network edge devices are fully secured against exploitation.
