A critical vulnerability (CVE-2026-8037) in Progress Kemp LoadMaster permits unauthenticated root command execution via API requests. Patches are released to mitigate the CVSS 9.8 flaw. Reports indicate active exploitation attempts, causing security concerns among users.
Progress Kemp LoadMaster, an application delivery controller used to manage network traffic, has a critical security flaw allowing unauthenticated attackers to execute root commands via API requests. This flaw, identified as CVE-2026-8037, has been rated with a CVSS score of 9.8, highlighting its severity.
The vulnerability resides in the escape_quotes() function, responsible for sanitizing input to avoid command injection. The function allocated memory without clearing it and omitted a null terminator, causing out-of-bounds reads. This flaw permits malicious actors to execute arbitrary commands.
A patch has been released, and affected users are strongly advised to update immediately to avoid potential breaches. Although no current exploitation has been reported by Progress, cybersecurity firms have identified active attempts to exploit the vulnerability since June 29, 2026.
As LoadMaster operates at the network edge, such vulnerabilities pose a significant risk. Without mitigation, attackers can exploit the flaw to gain privileged access to networks, making updates critical for maintaining organizational security.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The CVE-2026-8037 vulnerability in Progress Kemp LoadMaster is subject to active exploitation attempts. This RCE vulnerability, rated 9.6 on the CVSS, allows unauthenticated attackers to execute arbitrary commands on affected devices, raising significant security concerns.
A serious vulnerability (CVE-2026-8037) in Progress Kemp LoadMaster allows unauthenticated attackers to execute arbitrary root commands via crafted API requests. A patch is now available, and affected users are urged to update immediately to mitigate the security risk.