Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts
Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts
NEWS

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts

A critical pre-authentication remote code execution flaw in Progress Kemp LoadMaster (CVE-2026-8037, CVSS 9.6) is under active exploitation attempts,...

Dylan H.

News Desk

July 1, 2026
3 min read

Overview

A critical pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster is now seeing active exploitation attempts in the wild, according to eSentire's Threat Response Unit (TRU). The flaw, tracked as CVE-2026-8037 with a CVSS score of 9.6, allows a completely unauthenticated attacker with network access to the appliance's management API to execute arbitrary commands as root.

LoadMaster is a widely deployed enterprise load balancer and application delivery controller that typically sits at the outermost edge of corporate networks — making this vulnerability an exceptionally dangerous initial access vector.

Technical Details

The vulnerability resides in the escape_quotes() function within LoadMaster's internal processing pipeline. The flaw is a string-termination bug: the function fails to properly null-terminate sanitized strings, resulting in an out-of-bounds read into adjacent heap memory. An attacker can craft a specially crafted request to the /accessv2 API endpoint that manipulates heap memory layout and triggers command injection with no authentication required.

Key Characteristics

PropertyDetail
CVECVE-2026-8037
CVSS Score9.6 (Critical)
AuthenticationNone required
Attack VectorNetwork
ImpactRoot-level command execution
Vulnerable Endpoint/accessv2 API

watchTowr Labs published a full technical write-up on June 29, 2026 detailing the heap manipulation technique and proof-of-concept exploit chain. The public availability of this research accelerated exploitation attempts.

Active Exploitation Status

eSentire's TRU identified exploitation attempts targeting CVE-2026-8037 beginning around June 29, 2026. As of their advisory, observed attempts had not succeeded in achieving post-compromise activity — likely due to the specific memory layout requirements of the exploit — but the attempts confirm active interest from threat actors scanning for exposed LoadMaster instances.

Progress's security bulletin addressing CVE-2026-8037 also included a fix for CVE-2026-33691, a secondary vulnerability disclosed at the same time.

Why This Is High Priority

Load balancers occupy a privileged network position. Unlike an internally accessible server, a compromised LoadMaster appliance gives an attacker:

  • A foothold before any internal security controls are encountered
  • Direct visibility into traffic flowing between external users and internal application servers
  • Potential to intercept, modify, or redirect authenticated sessions
  • A pivot point for lateral movement into otherwise segmented network zones

The absence of any authentication requirement means the vulnerability is exploitable by any internet-connected attacker who can reach the management API — which on misconfigured deployments may be exposed directly to the internet.

Remediation

  1. Apply the patched firmware immediately. Progress released updated LoadMaster firmware addressing both CVE-2026-8037 and CVE-2026-33691.
  2. Restrict management API access — ensure the /accessv2 endpoint and LoadMaster's management interface are not accessible from the public internet. Bind management interfaces to dedicated out-of-band management networks.
  3. Review LoadMaster logs for anomalous API requests to /accessv2, particularly those with unusually long parameter values or unexpected character sequences.
  4. Enable alerting on new admin account creation or configuration changes made outside of authorized change windows.
  5. Check for indicators of compromise — review for unexpected processes, new scheduled tasks, or unauthorized SSH keys on LoadMaster appliances.

References

  • The Hacker News — Progress Kemp LoadMaster Pre-Auth RCE
  • watchTowr Labs — Technical Analysis CVE-2026-8037
#CVE#RCE#Load Balancer#Progress Kemp#Active Exploitation#Vulnerability

Related Articles

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

CISA has added a high-severity Microsoft SharePoint Server remote code execution vulnerability to its Known Exploited Vulnerabilities catalog following...

5 min read

Hackers Now Exploit Critical F5 BIG-IP Flaw in Attacks

F5 has reclassified a BIG-IP APM vulnerability from denial-of-service to critical remote code execution, warning that attackers are actively exploiting...

6 min read

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Threat actors are actively weaponizing CVE-2026-33017, a critical unauthenticated RCE flaw in Langflow, to deploy a Monero miner via the lambsys...

6 min read
Back to all News