Full Report
A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve
Analysis Summary
# Vulnerability: Progress Kemp LoadMaster Pre-Auth OS Command Injection
## CVE Details
- **CVE ID**: CVE-2026-8037
- **CVSS Score**: 9.6 (Critical)
- **CWE**: CWE-78 (OS Command Injection) / CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products**: Progress Kemp LoadMaster
- **Versions**: Susceptible versions released prior to June 2026 (refer to vendor advisory for specific version range)
- **Configurations**: Systems with the Management API enabled and exposed.
## Vulnerability Description
The vulnerability is rooted in the `escape_quotes()` function within the LoadMaster application. This function fails to properly null-terminate sanitized strings, leading to an out-of-bounds read into adjacent heap memory. By sending specially crafted requests to the `/accessv2` endpoint, an unauthenticated attacker can manipulate heap memory to bypass sanitization and inject arbitrary operating system commands.
## Exploitation
- **Status**: Exploited in the wild (Exploitation attempts reported starting June 29, 2026).
- **Complexity**: Low/Medium (Requires specific heap manipulation).
- **Attack Vector**: Network (Pre-authentication).
- **PoC Available**: Yes (Public technical analysis and PoC have been released).
## Impact
- **Confidentiality**: High (Full access to system data and credentials).
- **Integrity**: High (Ability to modify system configurations and files).
- **Availability**: High (Ability to disrupt services or shut down the appliance).
## Remediation
### Patches
- Progress has released security updates to address this flaw. Administrators should upgrade to the latest available firmware version specified in the [Progress Security Bulletin](https://community.progress[.]com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691).
### Workarounds
- **Restrict Access**: Limit access to the LoadMaster management interface/API to trusted internal networks only.
- **Disable API**: If not required, disable the Management API to reduce the attack surface.
## Detection
### Indicators of Compromise (IoCs)
The following IP addresses have been associated with active exploitation attempts:
- `192.42.116[.]58`
- `192.42.116[.]105`
- `146.70.139[.]154`
### Detection Methods
- **Log Analysis**: Monitor web server logs for unusual activity or unexpected strings targeting the `/accessv2` endpoint.
- **Traffic Monitoring**: Inspect inbound traffic for patterns consistent with heap manipulation or command injection attempts.
## References
- Progress Security Bulletin: `https://community.progress[.]com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691`
- eSentire Advisory: `https://www.esentire[.]com/security-advisories/progress-kemp-loadmaster-vulnerability-targeted-cve-2026-8037`
- CVE Record: `https://www.cve[.]org/CVERecord?id=CVE-2026-8037`