threat-wire
Kemp LoadMaster Flaw Lets Attackers Run Commands Pre-Auth
A critical flaw in Progress Kemp LoadMaster, a load balancer appliance widely used to distribute traffic across business servers, lets an attacker run arbitrary commands with no login at all. Exploitation attempts began on June 29, and a detailed technical writeup now public is expected to accelerate the attacks.
By SecureBusinessHub Editorial, International cybersecurity desk — · 4 min read
A load balancer sits in front of your servers directing traffic, which makes it a bad place to have a hole an attacker can walk straight through. CVE-2026-8037, in Progress Kemp LoadMaster, scores 9.6 on the CVSS scale, and eSentire's Threat Response Unit says exploitation attempts against it started on June 29, 2026.
The flaw
The bug lives in a function called escape_quotes() inside the LoadMaster API, according to a technical writeup from watchTowr Labs. The function is supposed to sanitize user-supplied input before it reaches the underlying system, but it fails to properly null-terminate the strings it cleans. That leftover gap causes an out-of-bounds read into adjacent heap memory. An attacker who sends specially crafted requests to the /accessv2 endpoint can manipulate that heap memory in a way that turns into command injection, letting them run arbitrary shell commands on the appliance itself.
The attacker needs no valid credentials and no user interaction. Progress's own advisory describes it plainly: an unauthenticated attacker with access to the API can execute arbitrary commands by exploiting unsanitized input.
Already under attack
eSentire says the exploitation attempts it observed so far have failed and resulted in no post-compromise activity. That's the good news. The bad news is that a working proof-of-concept and a full technical breakdown of the bug are now public, and history says that combination doesn't stay quiet for long. This is also the second Kemp LoadMaster flaw to see active exploitation, following CVE-2024-1212, another unauthenticated command injection bug that scored a perfect 10.0.
Load balancers make an especially attractive target because of where they sit. A LoadMaster appliance typically has one leg facing the public internet and another facing internal servers, so an attacker who gets code execution on it does not just compromise one machine. They gain a foothold with a direct line into whatever traffic and infrastructure sits behind it. That is the same reason Citrix and F5 appliances have been repeated targets for ransomware crews in past years, and why researchers keep circling back to load balancer and VPN gateway software looking for exactly this kind of bug.
Are you exposed?
- Check your firmware version. GA v7.2.63.1 and earlier, and LTSF v7.2.54.17 and earlier, are vulnerable when the API is enabled.
- Confirm whether your LoadMaster API, and specifically the /accessv2 endpoint, is reachable from the open internet rather than restricted to a management network.
- Review appliance logs for repeated malformed requests to /accessv2 in a short window, a possible sign of automated scanning for the flaw.
Patch now
Progress has shipped patched firmware that fully resolves the issue. Given that Kemp appliances have already been hit once this way, and that the technical details are now public, this is not a patch to leave sitting in a maintenance queue.