TL;DR
Attackers began exploiting the Kemp LoadMaster RCE vulnerability, tracked as CVE-2026-8037, on June 29, 2026. That timing matched the public release of proof-of-concept exploit code. The flaw lets an unauthenticated attacker run commands as root on the appliance. In its security advisory, eSentire’s Threat Response Unit confirmed exploitation attempts, though none succeeded in the cases it reviewed. Progress patched the bug on June 4, but unpatched systems remain exposed.
Why It Matters
Kemp LoadMaster sits at the network edge, handling traffic for many enterprises. The Kemp LoadMaster RCE vulnerability hands an attacker a foothold before any login screen appears, since no credentials are required. Because the appliance often sees internal services, a breach could open the door to deeper compromise. Its CVSS score of 9.8 reflects that severity.
How the Attack Works
Researcher Syed Ibrahim Ahmed of TrendAI Research reported the flaw to Progress in April through the Zero Day Initiative. The bug lives inside escape_quotes(), a function meant to sanitize input before LoadMaster builds a shell command. The unpatched version allocated memory without clearing it and skipped a null terminator.
As a result, a later step that runs through system() could read past the intended buffer into adjacent heap memory. In its technical analysis, watchTowr Labs showed how crafted API requests could steer that stray read toward attacker-controlled data, achieving code execution without credentials. The flaw is reachable through the /accessv2 endpoint whenever the API is enabled.
Affected Versions
The vulnerability hits two LoadMaster branches. General Availability builds at version 7.2.63.1 and earlier are vulnerable, along with LTSF builds at 7.2.54.17 and earlier. Progress fixed both lines on June 4, shipping GA 7.2.63.2 and LTSF 7.2.54.18. Additionally, the same bulletin patched CVE-2026-33691, a separate WAF bypass affecting file upload filtering.
Patch and Mitigation
Administrators should update to the fixed builds immediately to close the Kemp LoadMaster RCE vulnerability for good. If patching must wait, disabling the LoadMaster API removes the exposed attack path. Teams should also review logs for requests to /accessv2 and watch for eSentire’s published indicators of compromise. For deeper guidance, consult Progress’s official security bulletin.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.