Critical Kemp LoadMaster Flaws Expose Network Appliances to RCE

Severe Infrastructure Exposure Discovered

Enterprise network administrators must update their system appliances immediately. The Progress software provider recently addressed two critical Kemp LoadMaster flaws that threaten application availability. These security holes allow unauthenticated users to gain total administrative control over corporate load balancers. Consequently, leaving endpoints unpatched exposes the network core to external tampering. Therefore, IT teams must evaluate their active firmware versions today.

Investigating the RCE Threat Vector

The most dangerous defect in this advisory is a critical flaw tracked as CVE-2026-8037. This issue enables a devastating command injection remote execution attack against the device API. Furthermore, attackers can exploit this loophole over the internet without using any valid login credentials. According to the official documentation from the Progress Kemp team:

“OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an unauthenticated attacker with permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input.”

Consequently, a remote hacker can run malicious payloads directly on the core application operating system.

WAF Bypass via Filename Padding

Additionally, the bulletin identifies a high-severity filter validation error designated as CVE-2026-33691. This second bug exploits a structural normalization failure within the built-in defense modules. Specifically, the advisory notes that “the OWASP CRS failed to normalize whitespace in filenames before applying the extension-checking regular expression”. As a result, specially crafted HTTP multipart requests can sneak past default firewall filters undetected. Attackers can easily leverage these validation bugs alongside other Kemp LoadMaster flaws to deliver malicious files deep into local networks.

Immediate Mitigation and Patch Deployment

Fortunately, software developers have released secure firmware updates to neutralize these defects completely. To protect your cloud infrastructure, you should upgrade your active systems to versions v7.2.63.2 or v7.2.54.18 immediately. These fixes also apply to Progress ECS Connection Manager and Progress Connection Manager for ObjectScale. However, companies without an active maintenance agreement must contact their vendor partner directly to receive the upgrade. Ultimately, rapid patch deployment remains the single best defense against remote infrastructure compromise.