Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
Jun 30, 2026
Vulnerability / API Security
A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw, tracked as CVE-2026-8037 , carries a CVSS score of 9.8 according to ZDI . A patch is available. If you run LoadMaster with the API enabled, update now. Progress published its advisory on June 4 and says it has not received any reports of exploitation. On June 29, researchers at watchTowr Labs published a detailed technical write-up that walks through the full exploit chain. What the Flaw Does LoadMaster is an application delivery controller and load balancer used by enterprises to manage traffic across servers. It sits at the network edge, which makes any pre-auth flaw in it especially dangerous. The vulnerability lives in a function called escape_quotes() , which is supposed to sanitize user input before it gets passed into a shell command. The f...
