Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: kemp-loadmaster (1 article)Clear

Critical Kemp LoadMaster flaw gives unauthenticated attackers root on edge appliances

A critical flaw in Progress Kemp LoadMaster lets an unauthenticated attacker run commands as root on the appliance by sending a crafted request to its API. Rated 9.8, the bug (CVE-2026-8037) sits in a function meant to sanitize input before it reaches a shell command, and LoadMaster's position as an edge load balancer and application delivery controller makes a pre-authentication flaw especially dangerous, since it can turn a protective choke point into a direct foothold. Progress patched it in early June, and researchers at watchTowr published a full technical write-up with a working proof-of-concept on June 29. No exploitation has been reported yet, but Progress also makes MOVEit, a past mass-exploitation target.

Check
Identify Progress Kemp LoadMaster appliances with the API enabled, confirm their versions, and determine whether the management API is reachable from untrusted networks or the internet, the exposure this flaw needs.
Affected
Kemp LoadMaster GA 7.2.63.1 and earlier and LTSF 7.2.54.17 and earlier with the API enabled (CVE-2026-8037); an unauthenticated attacker who can reach the API gains root on an edge device.
Fix
Update to LoadMaster GA 7.2.63.2 or LTSF 7.2.54.18, and question whether the management API needs to be reachable at all, restricting it to trusted management networks or disabling it where unused.