Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Unauthenticated OS Command Injection RCE in Progress Kemp LoadMaster API

IdentifiersCVE-2026-8037CWE-77· Improper Neutralization of Special…

CVE-2026-8037 is a critical remote code execution vulnerability affecting the API in Progress ADC products, including Progress Kemp LoadMaster. According to the provided content, the issue is an OS command injection flaw caused by unsanitized input in multiple command endpoints, allowing attacker-controlled input to reach operating system command execution paths. The vendor description states that an unauthenticated attacker can exploit the flaw to execute arbitrary commands on the LoadMaster appliance. Supporting content also references vulnerable API handling associated with the accessv2 endpoint and the apiuser parameter, though the broader vendor description characterizes the issue as affecting multiple command endpoints. Successful exploitation results in arbitrary command/code execution on the appliance, reportedly in the context of root.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote code execution on the LoadMaster appliance. An attacker can execute arbitrary operating system commands, run malicious payloads, and obtain administrative or root-level execution context on the device. Given the role of LoadMaster as an application delivery controller/load balancer, compromise can expose confidentiality, integrity, and availability of traffic and services handled by the appliance, and may enable broader infrastructure compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the LoadMaster management/API surface to trusted administrative networks only, block internet access to vulnerable API endpoints, and restrict unauthenticated access paths to the appliance. Monitor for suspicious requests to API command endpoints, especially those carrying crafted input to parameters associated with command execution paths. Because the content identifies this as exploitable without credentials, temporary network isolation of the management/API interface is the most meaningful mitigation until patched. Specific vendor mitigation guidance beyond patching is not available in the provided content.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fixed firmware versions referenced in the June 2026 LoadMaster critical security bulletin. The provided content states that Progress released updates addressing CVE-2026-8037 and recommends upgrading to LoadMaster firmware v7.2.63.2 or v7.2.54.18. The content also states affected versions include GA 7.2.63.1 and prior and LTSF 7.2.54.17 and prior. Where applicable, obtain and apply the corresponding fixes for related Progress ADC products referenced by the vendor bulletin.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Progress SoftwareLoadmasterapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
reddit netsecNews
Jun 29, 2026
Enterprise Tech In, Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037) - watchTowr Labs : r/netsec

A pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster involving uninitialized heap memory.

Read more
nuclei templates pull requestsNews
Jun 29, 2026
CVE-2026-8037 - Progress ADC LoadMaster - Command Injection by DhiyaneshGeek · Pull Request #16505 · projectdiscovery/nuclei-templates · GitHub

A command injection vulnerability affecting Progress ADC LoadMaster; the referenced material also suggests pre-auth remote code execution significance.

Read more
security online infoNews
Jun 9, 2026
Kemp LoadMaster Flaws: Command Injection Remote Execution

A critical unauthenticated OS command injection remote code execution vulnerability in the API of Progress Kemp LoadMaster that allows arbitrary command execution on the appliance.

Read more
ca ccsNews
Jun 5, 2026
Progress security advisory (AV26-552) - Canadian Centre for Cyber Security

A vulnerability addressed by Progress in Kemp LoadMaster in the June 2026 critical security bulletin.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-8037
NVD
nvd.nist.gov/vuln/detail/CVE-2026-8037
MITRE CWE · CWE-77
Improper Neutralization of Special Elements…
community.progress.com
community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691