CVE-2026-8037, a critical flaw in Progress Kemp LoadMaster scored 9.8 by the Zero Day Initiative, lets an unauthenticated attacker send a crafted API request that results in arbitrary commands running as root on the appliance — and a patch is available now.
How the vulnerability operates inside LoadMaster
The bug lives in a function named escape_quotes(), whose intended role is to sanitize single quotes before user input is passed into a shell command. In affected builds the function allocated a buffer without zeroing it and failed to write a terminating null byte at the end of the sanitized string. That absent terminator caused the program to continue reading memory past the sanitized data and into adjacent bytes.
An attacker can exploit that behavior by targeting the /accessv2 API endpoint, which handles API credential validation. By sending a JSON body with a specially crafted apiuser value and dozens of additional key-value pairs — each carrying the attacker's command payload — the system reads the sanitized input, runs past the missing terminator, consumes the attacker-controlled bytes and executes the injected command. No valid credentials are required; the command runs with root privileges on the appliance.
Discovery, disclosure timeline, and technical follow-up
- The vulnerability, tracked as CVE-2026-8037, was discovered by Syed Ibrahim Ahmed of TrendAI Research and reported to Progress through the Zero Day Initiative on April 15, 2026.
- Progress published its advisory on June 4 and stated it had not received reports of exploitation.
- ZDI coordinated a public advisory release on June 9 and recorded a CVSS score of 9.8 for the flaw.
- On June 29, researchers at watchTowr Labs published a detailed technical write-up that analyzed the patch diff and included a working proof-of-concept demonstrating the full exploit chain.
Affected versions, the patch, and the companion fix
Only LoadMaster instances with the API enabled are affected. The flaw impacts LoadMaster GA v7.2.63.1 and earlier, and LTSF v7.2.54.17 and earlier. Progress released fixed builds: GA v7.2.63.2 and LTSF v7.2.54.18.
The corrective code changes are small and explicit: the memory allocation function was replaced with one that zero-fills the buffer, and an explicit null terminator was added after the escaped output. Progress described the patch as two lines that close a path to the root.
Progress also addressed a second, high-severity issue in the same advisory: CVE-2026-33691, a web application firewall bypass where whitespace padding in filenames could circumvent extension checks during file uploads.
How administrators, regulators, and defenders should weigh the risk
- Administrators and security teams: Apply the updates to GA v7.2.63.2 or LTSF v7.2.54.18 if you run LoadMaster with the API enabled. Because the exploit requires no credentials and executes commands as root, public-facing or otherwise exposed APIs should be treated as high-risk until patched. The advisory line from observers is simple: patch, and then ask whether the API needs to be reachable at all.
- Regulators and national security centers: This is not an isolated event for LoadMaster. In November 2024 CISA added a previous LoadMaster command-injection flaw (CVE-2024-1212, CVSS 10.0) to its Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation. The Canadian Centre for Cyber Security has also issued an advisory urging administrators to apply the updates for CVE-2026-8037.
- Incident responders and threat analysts: No exploitation of CVE-2026-8037 has been reported so far, but a working proof-of-concept is public following the watchTowr Labs write-up. That combination — publicly available exploit details plus a high-severity, pre-auth root execution — raises the likelihood that threat actors will attempt scanning and exploitation against exposed LoadMaster APIs.
Context: repeating patterns and why this matters
Progress's LoadMaster has a recent history of critical command-injection issues: the November 2024 CISA action, April 2026 patches for five high-severity flaws (four command-injection), and Progress's association with MOVEit — whose 2023 vulnerabilities produced a large exploitation campaign — are all documented in the public record. Those prior incidents provide a context in which a pre-auth, root-level command execution on an edge-facing appliance demands rapid mitigation.
Patch promptly if you run LoadMaster with its API enabled. If you cannot patch immediately, isolate or disable the API where feasible and review logs for anomalous /accessv2 requests. Progress has shipped fixes; the technical community has published a proof-of-concept; and national cybersecurity centres have issued advisories. In short: apply the two-line fix embedded in the updates, then consider whether the API should be exposed at all.
