A severe security flaw in Progress Kemp LoadMaster has been uncovered, threatening enterprise networks worldwide. Known as CVE-2026-8037, this vulnerability allows remote attackers to execute code on affected devices without authentication. Kemp LoadMaster, a crucial load balancer and application delivery controller, is widely used to manage network traffic and secure environments globally. The flaw, discovered by researchers at WatchTowr Labs, arises from inadequate memory handling in the device's access executable, where user inputs are not properly sanitized before being executed.
The vulnerability was first reported by Syed Ibrahim Ahmed from TrendAI Research, and Progress released an advisory on June 4, 2026. The Zero Day Initiative has given this flaw a critical CVSS score of 9.8 due to its potential for remote exploitation without needing credentials, allowing attackers to achieve root-level access on the compromised devices. Organizations using LoadMaster at their network perimeters are particularly at risk, and any delay in applying patches increases vulnerability.
The issue lies in a function called escape_quotes(), which fails to add a null terminator to the output buffer, leading to out-of-bounds memory access. Attackers can exploit this by inserting command injection payloads via the /accessv2 API endpoint. The vulnerability affects Kemp LoadMaster GA version 7.2.63.1 and earlier, as well as LTSF version 7.2.54.17 and earlier, when the API feature is enabled.
Progress has released updated firmware to address the flaw by correcting the memory allocation and adding the necessary null terminator. Administrators are urged to upgrade to GA version 7.2.63.2 or LTSF version 7.2.54.18 to secure their systems. For organizations without active maintenance agreements, contacting vendor partners for updates is essential.


