A critical flaw in Progress Kemp LoadMaster lets an unauthenticated attacker run commands as root on the appliance by sending a crafted request to its API. Rated 9.8, the bug (CVE-2026-8037) sits in a function meant to sanitize input before it reaches a shell command, and LoadMaster's position as an edge load balancer and application delivery controller makes a pre-authentication flaw especially dangerous, since it can turn a protective choke point into a direct foothold. Progress patched it in early June, and researchers at watchTowr published a full technical write-up with a working proof-of-concept on June 29. No exploitation has been reported yet, but Progress also makes MOVEit, a past mass-exploitation target.
Two flaws in Progress ShareFile's Storage Zones Controller can be chained for unauthenticated remote code execution - no credentials needed. An attacker first bypasses authentication via improper HTTP redirect handling, then uploads a malicious webshell through the file upload function. watchTowr published full technical details and a proof-of-concept. Around 30,000 instances are exposed online. File transfer solutions are a favorite ransomware target - Clop hit Accellion, GoAnywhere, MOVEit, and Cleo the same way.