An urgent threat is facing users of Progress Kemp LoadMaster, as a critical, unauthenticated remote code execution (RCE) vulnerability, CVE-2026-8037, is now under active exploitation. This command injection flaw, which can be rated up to 9.8 on the CVSS scale, allows attackers to execute arbitrary commands as the root user on vulnerable appliances. The attack is delivered via a crafted request to the device's API. The risk is exceptionally high as a public proof-of-concept (PoC) exploit is available, and security firm eSentire has confirmed observing exploitation attempts. Organizations must prioritize applying the available patches to prevent a full compromise of their network perimeter.
CVE-2026-8037 is an OS command injection vulnerability in the API of the Kemp LoadMaster load balancer. The flaw exists in the /accessv2 API endpoint due to insufficient sanitization of user-supplied input within the escape_quotes() function. An unauthenticated attacker can send a malicious request containing crafted command strings. These strings are passed directly to the underlying operating system and executed with root privileges. Since LoadMaster devices are typically deployed as edge devices to manage and secure traffic to critical backend applications, a successful exploit provides an attacker with a powerful foothold on the network perimeter.
The vulnerability affects the following versions of Progress Kemp LoadMaster:
7.2.63.1 and older7.2.54.17 and olderProgress has released patched versions GA v7.2.63.2 and LTSF v7.2.54.18 to address the issue.
This vulnerability is actively being exploited. Following the release of patches by Progress on June 4, 2026, researchers from watchTowr Labs published a technical deep-dive and a working PoC exploit on June 29. On the very same day, eSentire's Threat Response Unit (TRU) detected active exploitation attempts against its customer base. This rapid turnaround from PoC to active attack highlights the significant danger posed by this flaw.
The impact of exploiting CVE-2026-8037 is severe. An attacker can achieve the following:
Security teams should monitor for signs of scanning and exploitation in their web server logs.
url_pattern/accessv2network_traffic_patternlog_source/accessv2 endpoint from untrusted sources. The presence of such requests should be treated as a potential compromise attempt.GA v7.2.63.2 or LTSF v7.2.54.18 or later).Applying the vendor-provided patch is the most direct and effective way to remediate the vulnerability.
Restricting access to the appliance's management interface and API from the internet greatly reduces the attack surface.
Progress releases patches for CVE-2026-8037.
watchTowr Labs publishes a PoC exploit, and eSentire observes active exploitation attempts.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.