Progress Software has disclosed a critical security vulnerability in Kemp LoadMaster that could allow unauthenticated attackers to execute arbitrary commands with root level privileges on affected appliances. The flaw, tracked as CVE 2026 8037, has been assigned a CVSS score of 9.8 by Zero Day Initiative and affects systems where the LoadMaster API is enabled. Security updates have been released, and administrators are being urged to deploy the patches as soon as possible. According to Progress, there have been no reports of active exploitation at this time. However, the publication of a detailed technical analysis and proof of concept by watchTowr Labs has increased concerns that threat actors could attempt to weaponize the vulnerability against unpatched systems.
Kemp LoadMaster is widely used by organizations as an application delivery controller and load balancing platform to manage traffic across servers and critical applications. Because the appliance often operates at the edge of enterprise networks, vulnerabilities that can be exploited without authentication present a significant security risk. Researchers explained that the flaw exists within a function known as escape_quotes(), which is designed to sanitize user supplied input before it is passed to shell commands. The vulnerability stems from improper memory handling, where a buffer was allocated without being initialized and a null terminator was not added after the sanitized string was created. As a result, the application could continue reading beyond the intended boundary of the sanitized input into adjacent memory locations. Researchers found that attackers could manipulate this behavior by including additional crafted JSON parameters within a request, allowing malicious command injection payloads to be interpreted and executed by the system.
According to technical details released by watchTowr Labs, the attack targets the /accessv2 API endpoint used for credential validation. By sending a specially crafted request containing a manipulated apiuser value alongside multiple malicious key value pairs, an attacker can trigger command execution without providing valid authentication credentials. The commands are executed with root privileges, giving an attacker extensive control over the affected appliance. The vulnerability impacts LoadMaster GA version 7.2.63.1 and earlier, as well as LTSF version 7.2.54.17 and earlier, when the API feature is enabled. Progress has addressed the issue in GA version 7.2.63.2 and LTSF version 7.2.54.18. The vendor stated that the fix involved replacing a memory allocation method that left buffers uninitialized with one that automatically clears memory and adding an explicit null terminator to prevent unintended data processing beyond the allocated buffer.
The vulnerability was discovered by Syed Ibrahim Ahmed of TrendAI Research and reported to Progress through Zero Day Initiative on April 15, 2026. Zero Day Initiative coordinated the public disclosure process, with an advisory issued on June 9, while watchTowr Labs later published an independent analysis and proof of concept on June 29. In the same security advisory, Progress also addressed CVE 2026 33691, a high severity web application firewall bypass vulnerability that could allow attackers to circumvent file upload extension checks through the use of whitespace padding in filenames. Security experts note that this is not the first serious issue affecting LoadMaster. In 2024, a separate command injection vulnerability identified as CVE 2024 1212 was added to the Known Exploited Vulnerabilities catalog maintained by CISA after confirmed abuse in real world attacks. Earlier in 2026, Progress also released fixes for five additional high severity LoadMaster vulnerabilities, including four command injection flaws. The Canadian Centre for Cyber Security has advised administrators to apply the latest updates promptly. Although no attacks exploiting CVE 2026 8037 have been reported, the availability of public technical details and a working proof of concept increases the urgency for organizations to secure exposed systems and review whether API access is necessary for operational requirements.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





