A critical pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster, tracked as CVE-2026-8037 (CVSS 9.6), is now facing active exploitation attempts. The flaw, an OS command injection in the LoadMaster API, allows unauthenticated attackers to execute arbitrary commands on affected appliances.
Canadian cybersecurity firm eSentire’s Threat Response Unit (TRU) reported detecting exploitation attempts starting June 29, 2026. The attacks, originating from IP addresses 192.42.116.58, 192.42.116.105, and 146.70.139.154, ultimately failed, with no post-compromise activity observed. However, the public availability of a proof-of-concept exploit and detailed technical analysis from watchTowr Labs is expected to drive further malicious activity.
watchTowr Labs traced the root cause to the escape_quotes() function in the load balancer application, which improperly handles user-supplied input. The function fails to null-terminate sanitized strings, leading to an out-of-bounds read into adjacent heap memory. Attackers can exploit this by sending specially crafted requests to the /accessv2 endpoint, manipulating heap memory to enable command injection.
Progress had previously released an advisory for CVE-2026-8037 in early June 2026. This is the second critical LoadMaster flaw to see active exploitation, following CVE-2024-1212 (CVSS 10.0), another OS command injection vulnerability. Organizations using Progress Kemp LoadMaster are urged to apply patches immediately and monitor for suspicious activity.
CVEs: CVE-2026-8037, CVE-2024-1212, CVE-2026-20245
Companies: Progress, eSentire, watchTowr Labs
Products: Progress Kemp LoadMaster
Original source: thehackernews.com