A significant security vulnerability has been identified in the Progress Kemp LoadMaster, potentially enabling unauthorized individuals to execute commands with root privileges. The flaw, labeled CVE-2026-8037, poses a severe risk with a CVSS score of 9.8, according to the Zero Day Initiative (ZDI). Users are advised to apply the available patch immediately if their API is active.
Understanding the Vulnerability
Progress Kemp LoadMaster is a widely used application delivery controller that manages server traffic. This vulnerability is particularly dangerous due to its pre-authentication nature, allowing attackers to exploit it without needing valid credentials. The issue lies within the escape_quotes() function, which improperly sanitizes user input. A missing null terminator allows unauthorized command execution by reading beyond the intended data.
Attackers can target the /accessv2 endpoint by sending a JSON request with a crafted apiuser value and additional payloads. This flaw affects LoadMaster GA v7.2.63.1 and older versions, and LTSF v7.2.54.17 and earlier, when the API is enabled. Updated versions GA v7.2.63.2 and LTSF v7.2.54.18 have been released to mitigate this risk.
Patch Details and Recommendations
The patch for this vulnerability includes crucial changes, such as switching the memory allocation function to one that initializes buffers and adding a null terminator. These modifications effectively close the exploit path. The discovery of the flaw was credited to Syed Ibrahim Ahmed of TrendAI Research and was reported through ZDI.
Additionally, Progress also patched another high-severity issue, CVE-2026-33691, which allowed bypassing file upload restrictions through whitespace manipulation. Users are urged to implement these patches promptly to secure their systems against potential exploits.
Historical Context and Future Implications
This is not the first critical issue for Kemp LoadMaster. In 2024, a similar command injection flaw (CVE-2024-1212) was actively exploited, leading to its inclusion in CISA’s Known Exploited Vulnerabilities catalog. Earlier in 2026, Progress addressed several high-severity vulnerabilities in LoadMaster, including command injection issues.
The availability of a working proof of concept underscores the urgency of applying patches. The Canadian Centre for Cyber Security has also advised administrators to secure their systems. As no attacks exploiting CVE-2026-8037 have been reported yet, updating systems and reconsidering API exposure are crucial steps to prevent potential threats.
