Full Report
A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now. Progress published its advisory on June
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in Progress Kemp LoadMaster
## CVE Details
- **CVE ID:** CVE-2026-8037
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Likely CWE-122 (Heap-based Buffer Overflow) or CWE-170 (Improper Null Termination).
## Affected Systems
- **Products:** Progress Kemp LoadMaster (Application Delivery Controller)
- **Versions:**
- GA v7.2.63.1 and older
- LTSF v7.2.54.17 and older
- **Configurations:** Systems where the LoadMaster API is enabled.
## Vulnerability Description
The flaw exists within the `escape_quotes()` function, which is designed to sanitize user input by escaping single quotes before passing data to shell commands. The vulnerability is caused by two primary programming errors:
1. **Uninitialized Memory:** The function allocates a memory buffer without clearing existing data.
2. **Missing Null Terminator:** The function fails to write a null terminator (`\0`) at the end of the sanitized string.
These weaknesses allow an attacker to bypass intended sanitization. By sending a crafted request to the `/accessv2` API endpoint containing extra JSON keys, an attacker can "spray" command payloads into memory. Because the system fails to find a null terminator, it continues reading past the sanitized input and executes the subsequent attacker-controlled data in memory as a root-level command.
## Exploitation
- **Status:** PoC available (published by watchTowr Labs); No reported exploitation in the wild at the time of the advisory.
- **Complexity:** Low (requires crafted API requests without authentication).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Total (Full access to appliance data and potential traffic interception).
- **Integrity:** Total (Attacker can modify system configurations and appliance firmware).
- **Availability:** Total (Attacker can disable the load balancer or disrupt network traffic).
## Remediation
### Patches
Progress has released the following fixed versions:
- **GA:** v7.2.63.2
- **LTSF:** v7.2.54.18
### Workarounds
- **Disable API:** Disable the LoadMaster API if it is not strictly required for operations.
- **Access Control:** If the API must remain enabled, restrict access to the management interface/API via firewall rules or ACLs to trusted IP addresses only.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual or high-volume POST requests to the `/accessv2` endpoint, particularly those containing excessive or anomalous JSON key-value pairs.
- **Detection methods and tools:** Review system audit logs for unauthorized root-level command execution or unexpected outbound connections from the LoadMaster appliance.
## References
- **Progress Advisory:** hxxps[://]community[.]progress[.]com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
- **ZDI Advisory:** hxxps[://]www[.]zerodayinitiative[.]com/advisories/ZDI-26-342/
- **Analysis:** hxxps[://]labs[.]watchtowr[.]com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/