Critical Zero-Day Vulnerability in Progress Kemp LoadMaster Exposes Enterprise Networks
A severe security flaw in Progress Kemp LoadMaster, tracked as CVE-2026-8037, has left enterprise networks worldwide vulnerable to unauthenticated remote code execution. The vulnerability, rated 9.8 (Critical) on the CVSS scale, allows attackers to execute arbitrary commands with root-level privileges on affected appliances without requiring authentication.
Kemp LoadMaster is a widely used load balancer and application delivery controller, handling critical functions like traffic management, SSL/TLS offloading, and web application firewall protection. Since these devices often sit at the network perimeter, exploitation provides attackers with a direct pathway into an organization’s infrastructure, bypassing internal security controls.
Root Cause & Exploitation
Researchers at WatchTowr Labs identified the flaw in the escape_quotes() function, which fails to properly sanitize user input before passing it to a system shell. The issue stems from a missing null terminator in the output buffer, allowing an attacker to manipulate memory and inject malicious commands.
Exploitation occurs via the /accessv2 API endpoint, where specially crafted JSON input containing four single quotes as the apiuser value triggers an out-of-bounds memory read. This enables attackers to overwrite adjacent heap memory, ultimately executing arbitrary commands with root privileges.
Affected Versions & Patch Availability
The vulnerability impacts:
- Kemp LoadMaster GA 7.2.63.1 and earlier
- LTSF 7.2.54.17 and earlier (when the API feature is enabled)
Progress has released patched versions (GA 7.2.63.2 and LTSF 7.2.54.18), which address the issue by switching to zero-filled memory allocation and adding the missing null terminator. The fix also applies to Progress ECS Connection Manager and Progress Connection Manager for ObjectScale.
Organizations running affected versions are advised to upgrade immediately, as unpatched devices remain exposed to attacks from both the public internet and internal networks. Those without active maintenance agreements should contact their vendor for updates.
The flaw was first reported by researcher Syed Ibrahim Ahmed of TrendAI Research and disclosed by Progress on June 4, 2026. Given its severity, enterprises must prioritize remediation to prevent potential breaches.
Source: https://cybersecuritynews.com/critical-progress-kemp-loadmaster-vulnerability/
Progress Kemp LoadMaster cybersecurity rating report: https://www.rankiteo.com/company/progresskemploadmaster
"id": "PRO1782829753",
"linkid": "progresskemploadmaster",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology / Enterprise IT',
'location': 'Global',
'name': 'Progress Kemp LoadMaster',
'type': 'Load Balancer / Application Delivery '
'Controller'}],
'attack_vector': 'Remote',
'date_publicly_disclosed': '2026-06-04',
'description': 'A severe security flaw in Progress Kemp LoadMaster, tracked '
'as CVE-2026-8037, has left enterprise networks worldwide '
'vulnerable to unauthenticated remote code execution. The '
'vulnerability allows attackers to execute arbitrary commands '
'with root-level privileges on affected appliances without '
'requiring authentication. Kemp LoadMaster is a widely used '
'load balancer and application delivery controller, handling '
'critical functions like traffic management, SSL/TLS '
'offloading, and web application firewall protection. '
'Exploitation provides attackers with a direct pathway into an '
'organization’s infrastructure, bypassing internal security '
'controls.',
'impact': {'operational_impact': 'Potential unauthorized access to enterprise '
'networks, bypassing internal security '
'controls',
'systems_affected': 'Kemp LoadMaster, Progress ECS Connection '
'Manager, Progress Connection Manager for '
'ObjectScale'},
'post_incident_analysis': {'corrective_actions': 'Switch to zero-filled '
'memory allocation and add '
'missing null terminator',
'root_causes': 'Missing null terminator in the '
'`escape_quotes()` function, '
'allowing out-of-bounds memory read '
'and command injection via the '
'/accessv2 API endpoint'},
'recommendations': 'Organizations running affected versions are advised to '
'upgrade immediately to patched versions (GA 7.2.63.2 or '
'LTSF 7.2.54.18). Those without active maintenance '
'agreements should contact their vendor for updates.',
'references': [{'source': 'WatchTowr Labs'},
{'source': 'TrendAI Research (Syed Ibrahim Ahmed)'}],
'response': {'containment_measures': 'Upgrade to patched versions (GA '
'7.2.63.2 or LTSF 7.2.54.18)',
'remediation_measures': 'Switch to zero-filled memory allocation '
'and add missing null terminator'},
'title': 'Critical Zero-Day Vulnerability in Progress Kemp LoadMaster Exposes '
'Enterprise Networks',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'CVE-2026-8037'}