Progress Software’s Kemp LoadMaster application delivery controller has an unauthenticated, pre-auth remote code execution flaw that grants root on the appliance — and it’s already being probed in the wild. Progress disclosed CVE-2026-8037 on June 4, watchTowr Labs published a detailed technical writeup, and Canadian MDR firm eSentire confirmed exploitation attempts beginning June 29, 2026. If you run a LoadMaster with its API exposed, treat this as active-incident territory, not a routine patch cycle.

What’s Vulnerable

CVE-2026-8037 (CVSS 9.8) is a command injection vulnerability reachable by any unauthenticated attacker who can reach the LoadMaster management API. It affects:

  • GA builds v7.2.63.1 and earlier
  • LTSF builds v7.2.54.17 and earlier

Exposure requires the API to be enabled — which on many deployments it is by default or for automation/orchestration integrations (Kubernetes ingress controllers, auto-scaling groups, and other API-driven load-balancing setups commonly toggle it on).

Technical Details

The root cause lives inside escape_quotes(), an internal function meant to sanitize user-supplied input before it’s handed to a shell command — the standard defense against command injection. The unpatched implementation breaks that guarantee in two ways at once:

  1. It allocates its output buffer with malloc(), leaving the memory uninitialized rather than zeroed.
  2. It fails to write a null terminator after generating the escaped string.

Combined, an attacker-controlled string that reaches this function can cause the sanitizer to read past the intended buffer boundary and incorporate uninitialized heap contents into the “escaped” output — which then gets concatenated into a shell command and executed. Because the escaping logic itself is the thing that’s broken, the usual assumption that “this input already got sanitized” fails silently. watchTowr’s writeup (“Enterprise Tech In, Shell Out”) walks through the heap layout and how a request that triggers this path results in arbitrary command execution as root, with no authentication and no user interaction.

Impact

LoadMaster appliances typically sit at the network edge, terminating and distributing traffic for the applications behind them — precisely the kind of chokepoint that makes a pre-auth root RCE catastrophic. A successful exploit gives an attacker:

  • Full control of the load balancer OS, including the ability to intercept, redirect, or terminate traffic for every backend it fronts
  • A pivot point into the internal network the LoadMaster sits in front of
  • Access to any TLS material, session data, or credentials the appliance handles

eSentire’s telemetry shows exploitation attempts starting June 29 — three weeks after the advisory — but reports the observed attempts failed, with no evidence of successful post-compromise activity yet. That’s a narrow window of relief, not a reason to deprioritize patching; failed opportunistic scanning today typically precedes a working exploit chain within days once one gets refined and shared.

Mitigation

  1. Patch immediately. Progress’s fix changes the allocation from malloc() to calloc() (zeroing the buffer) and explicitly writes a terminating NUL, closing both the uninitialized-read and out-of-bounds issues. Update to the latest GA or LTSF build per Progress’s advisory.
  2. If you can’t patch immediately, disable the API or restrict access to it via firewall/ACL to trusted management networks only. Do not expose the LoadMaster API to the public internet.
  3. Hunt for exploitation attempts in API access logs going back to at least June 29 — look for malformed or anomalous requests to API endpoints that process user-supplied strings destined for shell execution, and for unexpected child processes spawned by the LoadMaster management service.
  4. Review appliance integrity on any internet-facing LoadMaster that had the API enabled during the exposure window — check for unauthorized configuration changes, new accounts, or persistence mechanisms, since watchTowr’s research indicates the primitive is a clean path to root shell.

Edge load balancers and ADCs keep landing in the same bucket as VPN concentrators and firewalls this year: internet-facing, privileged, and one input-sanitization bug away from full compromise. Anything speaking to an API you didn’t explicitly need to expose is worth re-evaluating.

References