Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-8037: Progress Kemp LoadMaster RCE Exploited in the Wild
Jul 02, 2026
5 Mins Read
Moon

CVE-2026-8037: Progress Kemp LoadMaster RCE Exploited in the Wild

A critical vulnerability tracked as CVE-2026-8037 affects Progress Kemp LoadMaster (Progress ADC / LoadMaster). The issue is a pre-auth Remote Code Execution (RCE) condition caused by OS command injection through the product’s API, meaning an attacker may not need credentials if they can reach an exposed management or API interface in a vulnerable configuration.

As of June 29, 2026, security reporting indicates in-the-wild exploitation attempts began the same day functional proof-of-concept (PoC) code appeared publicly. That timing increases risk for organizations running exposed, unpatched LoadMaster systems.

What Is CVE-2026-8037?

CVE-2026-8037 (CVSS 9.6) is described as an unauthenticated OS command injection vulnerability that can lead to remote code execution on Progress Kemp LoadMaster appliances.

The vulnerability is reachable via unsanitized inputs handled by the LoadMaster API. If the API is enabled and reachable over the network, an attacker may be able to execute arbitrary commands on the appliance without logging in.

Details of CVE-2026-8037 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-8037 (SOCRadar Vulnerability Intelligence)

Why Pre-Auth RCE Matters for ADCs and Load Balancers

LoadMaster often sits in a high-trust position, frequently at the edge of an environment. If an attacker gains code execution on an ADC or load balancer, the impact can extend beyond the device itself. Depending on architecture and downstream access, compromise can plausibly enable follow-on activity such as internal discovery, traffic manipulation, or credential access.

Defenders should note that these points represent potential risk assessments rather than verified consequences of reported active exploitation attempts.

Which Progress Kemp LoadMaster Versions Are Affected?

Available reporting ties exposure to environments where the API is enabled. The following versions are reported as affected, but defenders should validate against the official Progress advisory for authoritative guidance.

Reported affected (advisory summaries):

  • LoadMaster GA v7.2.63.1 and older
  • LoadMaster LTSF v7.2.54.17 and older

Also reported in aggregated CNA-style version ranges:

  • 7.2.60.0 to 7.2.63.1 (fixed at 7.2.63.2)
  • 7.2.45.12 to 7.2.54.17 (fixed at 7.2.54.18)

If you maintain multiple branches (GA vs. LTSF), confirm which track your appliance follows before selecting an upgrade target.

CVE-2026-8037 Exploitation Status and Timeline

  • June 4, 2026: Progress published an advisory describing a command injection RCE condition in LoadMaster.
  • June 29, 2026: Technical analysis was published describing the issue as pre-auth RCE reachable via the API.
  • June 29, 2026: Threat reporting observed active exploitation attempts beginning the same day.
  • July 1, 2026: A sector-focused threat bulletin summarized observed attempts and urged patching and verification.

Defenders should note that active exploitation attempts surfaced shortly after the public disclosure of functional proof-of-concept (PoC) code, a pattern that consistently accelerates opportunistic targeting of reachable, unpatched appliances.

While reports track observed attempts rather than verified extensive breaches, there is currently no confirmed attribution linking this activity to a specific known threat group.

Technical Summary (What Defenders Should Know)

At a high level:

  • Vulnerability class: OS command injection leading to RCE
  • Access requirement: Pre-auth / unauthenticated in exposed configurations (notably when the API is enabled and reachable)
  • Primary attack surface: LoadMaster API, particularly when accessible from untrusted networks

Public technical analysis also frames the vulnerability as a path to command execution, with discussion suggesting memory-handling behavior (for example, uninitialized heap conditions) plays a role in the overall chain. For defenders, the key point is simpler: treat this as an internet-reachable management/API risk and prioritize patching and exposure reduction.

To avoid enabling misuse, this article does not include endpoint paths, payload structures, or request patterns.

Impact: What Successful Exploitation Enables

If exploited successfully, CVE-2026-8037 can allow arbitrary command execution on the LoadMaster appliance, which can result in full device compromise.

Because these appliances can be integrated with authentication flows, TLS termination, and traffic routing, defenders should treat a compromised ADC as a high-impact event. Even if downstream business applications remain patched, a compromised edge device can change the security assumptions of the environment.

How SOCRadar Supports Prioritization and Exposure Tracking

For vulnerability response teams, SOCRadar XTI can help reduce time-to-action by correlating vulnerability disclosures with exploitation signals. In practice, teams commonly pair:

This combination is most useful when a vulnerability is both pre-auth and actively targeted, since patch urgency depends heavily on real-world exposure.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

Mitigation and Response Guidance

Patch or Upgrade to Fixed Releases

Progress and downstream advisories recommend applying firmware updates. Prioritize upgrades for any LoadMaster instance where:

  • the API is enabled, and
  • the management/API interface is reachable from the internet or other untrusted networks.

Reduce Exposure of the Management Plane and API

Where immediate patching is not possible, reduce the reachable attack surface:

  • Restrict management and API access to trusted admin networks or VPN-only access.
  • Block internet exposure at perimeter firewalls, ACLs, or security groups.
  • Confirm that only required administrative sources can reach the appliance’s management and API interfaces.

These controls do not replace patching, but they can reduce opportunistic exploitation risk while change windows are scheduled.

Verify Whether Exploitation Attempts Reached Your Environment

Since reporting references in-the-wild attempts, organizations should perform targeted verification:

  • Review LoadMaster and upstream web access logs for unusual spikes in requests to management or API interfaces.
  • Look for unexpected process execution, configuration changes, new files, or unexplained outbound connections originating from the appliance.
  • If your LoadMaster sits in a sensitive segment, consider broader scoping to adjacent systems that may have been reachable from that device.

If you suspect successful exploitation, treat the appliance as potentially compromised. Plan response steps that include containment, forensic preservation, credential rotation where appropriate, and restoration using known-good firmware and configuration baselines.