Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Critical Vulnerability Exposed in Progress Kemp LoadMaster Application Delivery Controller




A critical vulnerability has been exposed in the Progress Kemp LoadMaster application delivery controller and load balancer, which can be exploited by unauthenticated attackers to execute arbitrary commands as root on the appliance. The vulnerability carries a CVSS score of 9.8 according to ZDI and affects versions GA v7.2.63.1 and older, as well as LTSF v7.2.54.17 and older, when the API is enabled. A patch for this vulnerability is available, and it is recommended that users running LoadMaster with the API enabled update now.

  • A critical vulnerability (CVE-2026-8037) has been discovered in the Progress Kemp LoadMaster application delivery controller and load balancer.
  • The affected versions include GA v7.2.63.1 and older, as well as LTSF v7.2.54.17 and older when the API is enabled.
  • A patch for this vulnerability is available, and it is recommended that users running LoadMaster with the API enabled update now.
  • The vulnerability allows an attacker to execute arbitrary commands as root on the appliance by injecting malicious JSON payloads into the /accessv2 endpoint.
  • Progress has released fixed versions: GA v7.2.63.2 and LTSF v7.2.54.18, and a detailed technical write-up of the exploit chain is available.



  • A recent discovery by researchers at watchTowr Labs has exposed a critical vulnerability in the Progress Kemp LoadMaster application delivery controller and load balancer, which can be exploited by unauthenticated attackers to execute arbitrary commands as root on the appliance. The vulnerability, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI.

    The affected versions of LoadMaster include GA v7.2.63.1 and older, as well as LTSF v7.2.54.17 and older, when the API is enabled. Progress has released fixed versions: GA v7.2.63.2 and LTSF v7.2.54.18. A patch for this vulnerability is available, and it is recommended that users running LoadMaster with the API enabled update now.

    The vulnerability lives in a function called escape_quotes(), which is supposed to sanitize user input before it gets passed into a shell command. However, the function's job is to allocate a memory buffer without clearing it first and never writes a null terminator at the end of the sanitized string. This missing terminator allows an attacker to control what sits next to the allocated buffer in memory by stuffing extra JSON keys into the same API request, each carrying a command injection payload.

    The attack targets the /accessv2 endpoint, which handles API credential validation. The attacker sends a JSON body with a specially crafted apiuser value and dozens of extra key-value pairs sprayed with the command they want to run. No valid credentials are needed for this attack, and it runs as root. This makes LoadMaster an especially dangerous application delivery controller at the network edge.

    Researchers at watchTowr Labs have published a detailed technical write-up that walks through the full exploit chain of this vulnerability. The study highlights the importance of patching this flaw, as no attacks on CVE-2026-8037 have been reported yet. Progress has patched a second high-severity flaw in the same advisory: CVE-2026-33691, a WAF bypass where whitespace padding in filenames could circumvent file upload extension checks.

    This vulnerability is not LoadMaster's first critical flaw, as CISA added a previous LoadMaster command injection flaw (CVE-2024-1212, CVSS 10.0) to its Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild. In April 2026, Progress patched five more high-severity LoadMaster flaws, four of which are command injection issues.

    The Canadian Centre for Cyber Security has also issued an advisory urging administrators to apply the updates. No attacks on CVE-2026-8037 have been reported yet, but a working proof of concept is now public. It is recommended that users patch this vulnerability and ask whether the API needs to be reachable at all.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Critical-Vulnerability-Exposed-in-Progress-Kemp-LoadMaster-Application-Delivery-Controller-ehn.shtml

  • https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-8037

  • https://www.cvedetails.com/cve/CVE-2026-8037/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-33691

  • https://www.cvedetails.com/cve/CVE-2026-33691/


  • Published: Wed Jul 1 13:10:30 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us