CVE-2026-8037 is a pre-authentication remote code execution flaw in Progress Kemp LoadMaster, a widely deployed enterprise load balancer, and it is now under active attack. Rated up to CVSS 9.8, the bug lets an unauthenticated attacker send a crafted request to the device's API and execute arbitrary system commands, no login required. Exploitation attempts began on June 29, 2026, the same day a working proof-of-concept was published. If you run LoadMaster with the API enabled, patch immediately.

  • CVE-2026-8037 is a pre-auth OS command injection in Kemp LoadMaster, scored 9.8 by ZDI and 9.6 in some advisories.
  • The root cause is a function named escape_quotes() that uses an uninitialized buffer and omits a null terminator, causing an out-of-bounds heap read that lands in a system() call.
  • Attacks hit the /accessv2 endpoint and began on June 29, 2026, hours after watchTowr Labs released a public PoC.
  • It affects GA v7.2.63.1 and earlier and LTSF v7.2.54.17 and earlier when the API is enabled; patched firmware is available.
How CVE-2026-8037 chains to remote code execution A crafted request reaches escape_quotes, which lacks a null terminator, causing an out-of-bounds read that flows into a system call. Unauth request/accessv2escape_quotes()malloc, no null termOOB heap readsprintf overrunssystem() runsattacker command No credentials. No user interaction. The device sits at the network edge. watchTowr published a full technical breakdown and PoC by diffing the patch. Also patched: CVE-2026-33691, a WAF bypass via whitespace-padded filenames. genztech.blog
Fig 1 The chain is short and brutal: a single unauthenticated request to /accessv2 flows through a buffer that is never null-terminated, overruns into heap memory, and ends inside a system() call the attacker controls.

What is the vulnerability?

LoadMaster is an application delivery controller and load balancer that sits at the network edge, distributing traffic across servers. Any pre-auth flaw in a device in that position is dangerous by definition, and this one is textbook. watchTowr Labs traced it to escape_quotes(), a sanitization function that allocates a buffer with malloc but leaves it uninitialized, then fails to write a null terminator after building the escaped string. When that pointer is later fed into a sprintf and system() chain to construct a validuser command line, the missing terminator lets sprintf read past the buffer into adjacent heap memory, opening the door to command injection through the /accessv2 endpoint.

RelatedDuneSlide Turns a Cursor Prompt Into Full Code Execution

Is it being exploited?

Yes. eSentire's Threat Response Unit observed exploitation attempts targeting CVE-2026-8037 starting June 29, 2026. The attempts eSentire saw failed, with no post-compromise activity, but that is cold comfort: a public proof-of-concept and detailed technical writeup are already circulating, which historically drives a wave of follow-on attacks within days. The window between disclosure and mass exploitation on edge appliances is measured in hours now, not weeks.

How did this unfold?

  1. Apr 15 2026Reported to Progress. Found by Syed Ibrahim Ahmed of TrendAI Research, disclosed via the Zero Day Initiative.
  2. Jun 4 2026Progress publishes its advisory. No reports of exploitation at the time.
  3. Jun 9 2026ZDI coordinates public disclosure.
  4. Jun 29 2026watchTowr publishes a PoC; attacks begin. Full patch-diff breakdown and working exploit go public the same day exploitation starts.

Am I affected, and what do I do?

You are exposed if you run LoadMaster GA v7.2.63.1 or earlier, or LTSF v7.2.54.17 or earlier, with the API enabled. Progress has released patched firmware that fully resolves the issue, and the same advisory fixes a related flaw, CVE-2026-33691, a WAF bypass where whitespace padding in filenames could slip past file-upload extension checks. The immediate actions are simple: apply the patched firmware now, and seriously question whether the management API needs to be reachable at all, especially from the internet.

Why are load balancers such a prized target?

A load balancer like LoadMaster is one of the most valuable footholds an attacker can win, which is what makes any pre-auth flaw in it a five-alarm event. It terminates traffic for the servers behind it, so it routinely sees credentials, session tokens and internal requests in the clear. It sits at the network edge with a management interface that too often faces the internet, and it is trusted implicitly by the systems it fronts, giving an attacker who lands there a launch pad deep into the internal network. The 2026 Verizon DBIR made the trend explicit: software vulnerabilities have overtaken stolen passwords as the top way attackers get in, and edge appliances are where that shift bites hardest. A single unauthenticated command-execution bug on a device in this position is close to a worst case, because it hands an outsider root-level reach without ever touching a login page.

RelatedA PraisonAI Flaw Was Exploited Within Hours of Disclosure

What to watch · now
  • Mass scanning. With a PoC public, expect internet-wide scanning of /accessv2 within days. Assume any exposed, unpatched device will be found.
  • CISA KEV listing. A prior LoadMaster command-injection bug, CVE-2024-1212 at CVSS 10.0, was added to CISA's Known Exploited Vulnerabilities catalog in 2024. Prediction: this one follows if exploitation succeeds anywhere.
  • Attack-surface hygiene. The real lesson is exposure. An edge appliance with an internet-reachable API is a standing liability regardless of the current CVE.

Our take

This is a near-perfect example of why edge appliances are the softest target in the modern enterprise. A single-byte mistake, a missing null terminator, turns a sanitization routine into pre-auth remote code execution on a device that sees every packet entering the network. The disclosure timeline is the part defenders should internalize: patch available June 4, public PoC June 29, exploitation June 29. That compression is the new normal, and it means a monthly patch cadence is no longer fast enough for edge gear. If you run LoadMaster, treat this as a same-day fix, and use it as a prompt to ask why the management API is reachable in the first place.

Primary sources

Original analysis by GenZTech. Based on watchTowr's CVE-2026-8037 report, current as of July 2026.