Critical RCE Vulnerability in Progress Kemp LoadMaster (CVE-2026-8037) Under Active Exploitation

Actively Exploited Kemp LoadMaster Flaw (CVE-2026-8037) Allows Pre-Auth RCE as Root

CRITICAL
July 6, 2026
4m read
VulnerabilityCyberattackPatch Management

Related Entities

Organizations

Progress eSentire watchTowr Labs

Products & Tech

Progress Kemp LoadMaster

CVE Identifiers

CVE-2026-8037
CRITICAL
CVSS:9.8

Full Report

Executive Summary

An urgent threat is facing users of Progress Kemp LoadMaster, as a critical, unauthenticated remote code execution (RCE) vulnerability, CVE-2026-8037, is now under active exploitation. This command injection flaw, which can be rated up to 9.8 on the CVSS scale, allows attackers to execute arbitrary commands as the root user on vulnerable appliances. The attack is delivered via a crafted request to the device's API. The risk is exceptionally high as a public proof-of-concept (PoC) exploit is available, and security firm eSentire has confirmed observing exploitation attempts. Organizations must prioritize applying the available patches to prevent a full compromise of their network perimeter.

Vulnerability Details

CVE-2026-8037 is an OS command injection vulnerability in the API of the Kemp LoadMaster load balancer. The flaw exists in the /accessv2 API endpoint due to insufficient sanitization of user-supplied input within the escape_quotes() function. An unauthenticated attacker can send a malicious request containing crafted command strings. These strings are passed directly to the underlying operating system and executed with root privileges. Since LoadMaster devices are typically deployed as edge devices to manage and secure traffic to critical backend applications, a successful exploit provides an attacker with a powerful foothold on the network perimeter.

Affected Systems

The vulnerability affects the following versions of Progress Kemp LoadMaster:

  • GA version 7.2.63.1 and older
  • LTSF version 7.2.54.17 and older

Progress has released patched versions GA v7.2.63.2 and LTSF v7.2.54.18 to address the issue.

Exploitation Status

This vulnerability is actively being exploited. Following the release of patches by Progress on June 4, 2026, researchers from watchTowr Labs published a technical deep-dive and a working PoC exploit on June 29. On the very same day, eSentire's Threat Response Unit (TRU) detected active exploitation attempts against its customer base. This rapid turnaround from PoC to active attack highlights the significant danger posed by this flaw.

Impact Assessment

The impact of exploiting CVE-2026-8037 is severe. An attacker can achieve the following:

  • Complete Device Takeover: Gaining root access means full control over the LoadMaster appliance.
  • Traffic Interception and Manipulation: Attackers can intercept, inspect, and modify all traffic passing through the load balancer, including sensitive data.
  • Internal Network Access: The compromised device can be used as a pivot point to launch further attacks against the internal network.
  • Persistent Foothold: Attackers can install backdoors on the device to maintain long-term access.

Cyber Observables — Hunting Hints

Security teams should monitor for signs of scanning and exploitation in their web server logs.

Type
url_pattern
Value
/accessv2
Description
Exploitation attempts will target this specific API endpoint. Look for unusual POST requests.
Type
network_traffic_pattern
Value
Outbound connections from the LoadMaster's management interface to unexpected external IPs.
Description
This could indicate a successful compromise and a reverse shell or C2 beacon.
Type
log_source
Value
LoadMaster access logs and system logs.
Description
Review for anomalous API requests or unexpected processes being executed.

Detection Methods

  • Log Analysis: Scrutinize web access logs for the LoadMaster appliance for any requests to the /accessv2 endpoint from untrusted sources. The presence of such requests should be treated as a potential compromise attempt.
  • Vulnerability Scanning: Run internal and external vulnerability scans to identify all Kemp LoadMaster appliances and verify if they are running a vulnerable version.
  • Network Intrusion Detection System (NIDS): Deploy NIDS signatures that can detect the specific exploit pattern for CVE-2026-8037.

Remediation Steps

  1. Patch Immediately: The top priority is to upgrade all vulnerable Kemp LoadMaster appliances to a patched version (GA v7.2.63.2 or LTSF v7.2.54.18 or later).
  2. Restrict API Access: If patching is not immediately possible, restrict access to the LoadMaster's management and API interfaces to a limited set of trusted internal IP addresses. Do not expose the management interface to the internet.
  3. Disable API: If the API is not being used, consider disabling it entirely as a temporary mitigation.
  4. Hunt for Compromise: After patching, review logs for any evidence of exploitation that may have occurred before the patch was applied. A root-level compromise should be assumed if evidence is found, and a full incident response should be initiated.

Timeline of Events

1
June 4, 2026
Progress releases patches for CVE-2026-8037.
2
June 29, 2026
watchTowr Labs publishes a PoC exploit, and eSentire observes active exploitation attempts.
3
July 6, 2026
This article was published

MITRE ATT&CK Mitigations

Applying the vendor-provided patch is the most direct and effective way to remediate the vulnerability.

Restricting access to the appliance's management interface and API from the internet greatly reduces the attack surface.

Timeline of Events

1
June 4, 2026

Progress releases patches for CVE-2026-8037.

2
June 29, 2026

watchTowr Labs publishes a PoC exploit, and eSentire observes active exploitation attempts.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

cve-2026-8037kemp loadmasterprogressrcevulnerabilitycommand injectionzero-day

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.