
Critical Vulnerability Discovered in Progress Kemp LoadMaster Puts Corporate Networks at Serious Risk!
Another extremely dangerous vulnerability has been discovered in the cybersecurity landscape, leaving organizations worldwide that use Progress Kemp LoadMaster devices under serious threat. This vulnerability, registered under identifier CVE-2026-8037, allows attackers to remotely execute arbitrary system commands on the device without any authentication. The CVSS severity score for this vulnerability is rated at 9.8, placing it in the highest — Critical — category.
What Is LoadMaster and Why Is It Important?
Progress Kemp LoadMaster is a widely used Application Delivery Controller (ADC) and Load Balancer solution in corporate infrastructures. It performs functions such as load balancing across servers, SSL/TLS traffic processing, application performance optimization, content routing, and protecting web applications from various cyberattacks through its built-in Web Application Firewall (WAF).
These devices are typically deployed at the external perimeter of an organization’s network — at the point directly connected to the Internet. Therefore, any critical vulnerability discovered in such devices creates a dangerous opportunity for attackers to gain access to the internal network.
How Does the Vulnerability Work?
According to experts, the issue stems from a programming error in the escape_quotes() function, which is part of the device’s access execution module.
This function is designed to escape special characters in user-supplied data before passing them to system commands. However, in older software versions, a null terminator (\0) was not added to the end of the created buffer.
As a result, the system, through the sprintf() function, begins to read data beyond the allocated memory boundaries. An attacker, by sending specially crafted JSON requests, can place malicious commands in adjacent memory regions and achieve their execution through the system shell.
The most dangerous aspect is that no username, password, or other authentication credentials are required to carry out this attack. If the API interface is enabled and network access to the device is possible, the vulnerability becomes exploitable.
How Did Researchers Discover the Vulnerability?
The vulnerability was initially discovered by researcher Syed Ibrahim Ahmed from TrendAI Research and reported to Progress in accordance with responsible disclosure principles.
Subsequently, experts from WatchTowr Labs conducted a deep technical analysis of the vulnerability’s mechanism and published a detailed report on the exploitation process. According to their analysis, the problem arose from improper memory management, allowing attackers to execute code with root (administrator) privileges.
Which Versions Are at Risk?
The following versions are considered vulnerable:
- Kemp LoadMaster GA 7.2.63.1 and earlier versions;
- Kemp LoadMaster LTSF 7.2.54.17 and earlier versions.
The vulnerability is particularly exploitable on devices with the API function enabled.
Additionally, this issue affects the following products:
- Progress ECS Connection Manager;
- Progress Connection Manager for ObjectScale.
How Was the Issue Resolved?
Progress implemented a number of important changes in the software to address the vulnerability. Specifically:
- instead of malloc(), calloc() is now used for memory allocation, which automatically fills the allocated area with zero values;
- the missing null terminator has been added to the output buffer;
- the ability to read data beyond the allocated memory boundaries has been completely eliminated.
As a result, the path to exploitation leading to remote code execution has been closed.
Recommendations for Organizations
Experts recommend that all organizations using LoadMaster devices take the following measures as soon as possible:
- immediately update devices to versions GA 7.2.63.2 or LTSF 7.2.54.18;
- temporarily disable the API service if not strictly necessary;
- restrict direct access to the API interface over the Internet;
- allow access to management interfaces only from trusted IP addresses;
- regularly analyze device logs and monitor for suspicious API requests;
- implement additional security controls at the network perimeter and strengthen monitoring for signs of exploitation.
If an organization does not have a technical support contract, it is recommended to contact the manufacturer’s partners to obtain the updated software.
Conclusion
The CVE-2026-8037 vulnerability is one of the most dangerous flaws discovered recently in infrastructure devices located at the network perimeter. Its authentication-free exploitation, ability to execute remote code with root privileges, and direct threat to Internet-facing LoadMaster devices make it particularly hazardous.
Organizations must not overlook this vulnerability — they need to update devices immediately and regularly conduct audits and monitoring of all critical systems located at the network perimeter. Because a successful attack through such devices can lead to the compromise of the entire corporate infrastructure, leakage of confidential data, and disruption of business processes.



