Critical Progress Kemp LoadMaster Flaw Allows Pre-Auth Root Command Execution

A critical vulnerability in Progress Kemp LoadMaster can let unauthenticated attackers run commands as root on affected appliances when the API is enabled and reachable.

The flaw is tracked as CVE-2026-8037 and affects LoadMaster GA 7.2.63.1 and earlier, along with LTSF 7.2.54.17 and earlier. Progress has released fixed versions, and administrators should upgrade immediately.

The most severe issue is detailed in ZDI-26-342, which gives the apiuser flaw a CVSS score of 9.8 because exploitation requires no authentication and can lead to code execution as root.

Why CVE-2026-8037 is serious

Kemp LoadMaster is commonly used as a load balancer and application delivery controller. It often sits close to the network edge, where it handles application traffic, SSL and TLS offloading, health checks, content switching, and web application firewall features.

That placement makes a remote code execution flaw especially dangerous. If attackers can reach the affected API endpoint, they may not need a password or a foothold inside the target environment.

The watchTowr Labs analysis says CVE-2026-8037 is accessible to anyone who can access the API and describes the issue as a pre-authentication remote code execution vulnerability.

Item	Details
CVE	CVE-2026-8037
Product	Progress Kemp LoadMaster
Most severe advisory	ZDI-26-342
CVSS score	9.8
Attack requirement	Network access to the affected API
Authentication	Not required for the apiuser issue
Impact	Remote command execution as root

Which LoadMaster versions are affected?

Progress lists CVE-2026-8037 under the API and UI module in its LoadMaster vulnerabilities table. The company says fixed versions are available for both the general availability and long-term support feature branches.

The vulnerable versions are GA 7.2.63.1 and older, and LTSF 7.2.54.17 and older. The patched releases are GA 7.2.63.2 and LTSF 7.2.54.18.

The issue matters most for appliances with the API enabled. Organizations should treat any internet-exposed or broadly reachable LoadMaster API endpoint as a priority patching target.

Branch	Affected version	Fixed version
LoadMaster GA	7.2.63.1 and older	7.2.63.2
LoadMaster LTSF	7.2.54.17 and older	7.2.54.18

How the vulnerability works

The bug sits in the way LoadMaster handles input passed to the accessv2 endpoint. The vulnerable path processes the apiuser value before building a shell command.

According to ZDI-26-342, the flaw exists in the handling of the apiuser parameter provided to the accessv2 endpoint and results from memory not being properly initialized before access.

In practical terms, an attacker can shape the request so data from adjacent heap memory becomes part of the command string. That creates a path from a crafted API request to command execution as root.

• The attacker sends a crafted request to the accessv2 API endpoint.
• The apiuser value passes through a quote-escaping routine.
• The vulnerable code fails to terminate the escaped output correctly.
• The command builder can continue reading into attacker-controlled heap data.
• The resulting shell command can include the injected payload.

The patch shows the root cause

watchTowr Labs compared the vulnerable and fixed LoadMaster versions and found that the patch changed a function called escape_quotes(). That function is supposed to make user input safe before it gets placed inside a shell argument.

The vulnerable implementation used malloc and failed to add a null terminator after escaped output. The patched implementation uses zero-filled allocation and writes the missing terminator.

The technical write-up explains that four single quote characters can expand into 16 bytes during escaping, which helps overwrite allocator metadata and lets the payload reach the shell command construction path.

Progress has released the fix

Progress says it fixed CVE-2026-8037 in the 7.2.63.2 release. The company describes the issue in its LoadMaster security updates as a command injection remote code execution vulnerability in the cipher set UI and API command.

The Progress vulnerability table also lists CVE-2026-8037 as fixed in LMOS 7.2.63.2 and LMOS 7.2.54.18. That means administrators should verify both the installed version and the active update branch before assuming the appliance is safe.

The same June release also addresses CVE-2026-33691, a separate LoadMaster issue affecting the web application firewall component. Teams already scheduling maintenance should review both fixes together.

Why edge appliances need urgent patching

Load balancers and application delivery controllers can become high-value targets because they sit in front of important applications. A compromised appliance can give attackers access to traffic flows, management functions, credentials, and internal network paths.

This risk is not theoretical for edge products. Attackers frequently target VPNs, firewalls, load balancers, and other perimeter systems because they offer a direct route into enterprise environments.

Security coverage from The Hacker News also highlighted that the flaw can let attackers run root commands before authentication if they can reach the affected API.

Risk area	Why it matters
Network edge placement	LoadMaster appliances often receive traffic before backend systems do
Root-level execution	Successful exploitation can give attackers high control over the appliance
API exposure	Reachable management or API surfaces increase the attack window
Traffic handling	Compromised appliances may expose sensitive application paths or credentials

What administrators should do now

Administrators should upgrade LoadMaster appliances to GA 7.2.63.2 or LTSF 7.2.54.18 as soon as possible. They should also verify whether API access is enabled and restrict it to trusted management networks only.

The 7.2.63.2 release notes confirm that the command injection RCE issue has been fixed. Organizations without an active maintenance agreement should contact Progress or their reseller to obtain the appropriate update.

After patching, teams should review logs for unusual API requests, unexpected administrative activity, new configuration changes, and outbound connections from the appliance.

• Upgrade to GA 7.2.63.2 or LTSF 7.2.54.18.
• Disable API access if the organization does not need it.
• Restrict API and management access to trusted IP ranges.
• Block public internet access to administrative interfaces.
• Review appliance logs for suspicious accessv2 requests.
• Check for unexpected changes to certificates, virtual services, and WAF settings.
• Rotate credentials if compromise is suspected.

How to prioritize the response

Organizations should place internet-facing LoadMaster appliances at the top of the patch list. Systems with API access exposed to broad internal networks should follow closely.

The Progress vulnerabilities page confirms that a fix is available, so teams should not treat mitigation alone as a long-term answer.

Short-term network restrictions can reduce exposure while maintenance windows are prepared. They should not replace the vendor update because the vulnerable code remains present until the appliance runs a fixed version.

Priority	Device type	Recommended action
Highest	Internet-facing LoadMaster with API enabled	Patch immediately and restrict API access
High	Internal LoadMaster with broad API reachability	Patch quickly and limit management networks
Medium	LoadMaster with API disabled	Patch during the next urgent maintenance window
Ongoing	All LoadMaster deployments	Monitor logs and keep firmware current

What makes this flaw different from earlier LoadMaster bugs

Progress LoadMaster has faced several command injection issues in recent years, but CVE-2026-8037 stands out because the highest-severity apiuser path does not require authentication.

Some related ZDI entries for CVE-2026-8037 require privileges and carry lower scores. That distinction matters for defenders, because the pre-auth apiuser path creates a faster route from network exposure to root-level execution.

Reporting from The Hacker News notes that Progress credited Syed Ibrahim Ahmed of TrendAI Research for discovering and reporting the issue through the Zero Day Initiative.

The bottom line

CVE-2026-8037 gives attackers a high-impact path against Progress Kemp LoadMaster appliances when the vulnerable API is reachable. The combination of no authentication, network attack access, and root-level command execution makes it a patch-now issue.

Security teams should verify exposure first, but they should not wait for exploitation reports before acting. Edge infrastructure often becomes a target soon after technical details become public.

The safest response is to upgrade to the fixed LoadMaster release, restrict API access, review logs, and confirm that administrative interfaces cannot be reached from untrusted networks.

FAQ