Kemp LoadMaster Pre-Auth RCE Exploited Days After PoC Release
CVE-2026-8037 lets unauthenticated attackers execute root-level commands on Progress Kemp LoadMaster appliances. Exploitation attempts started June 29, same day as PoC publication.
Exploitation attempts against Progress Kemp LoadMaster appliances began June 29—the same day watchTowr Labs published proof-of-concept code. The vulnerability, CVE-2026-8037, allows unauthenticated remote code execution with root privileges. eSentire's Threat Response Unit is tracking active campaigns, though no successful compromises have been confirmed yet.
The flaw carries a CVSS score of 9.6, reflecting the combination of no authentication requirement, remote attack vector, and root-level impact. Load balancers sit at network chokepoints, handling traffic for critical applications—compromising one gives attackers a privileged position for interception, redirection, or lateral movement.
The Vulnerability
CVE-2026-8037 stems from improper input handling in a function called escape_quotes(). According to watchTowr's analysis, the function failed to properly null-terminate sanitized strings, leading to an out-of-bounds read into adjacent heap memory.
Attackers exploit this by sending crafted requests to the /accessv2 endpoint. The memory corruption enables command injection, allowing arbitrary commands to execute on the appliance without valid credentials.
Exploitation Activity
eSentire observed exploitation attempts originating from three IP addresses:
- 192.42.116[.]58
- 192.42.116[.]105
- 146.70.139[.]154
The timing is notable: PoC publication and exploitation attempts began on the same day. Attackers are clearly monitoring security research outputs and weaponizing disclosures within hours. This matches patterns we've seen with Cisco SD-WAN zero-days and SimpleHelp CVE-2026-48558 earlier this week.
Affected Versions
The vulnerability impacts:
- Kemp LoadMaster GA version 7.2.63.1 and older
- LTSF version 7.2.54.17 and older
Crucially, the flaw only affects devices where the API feature is enabled. If you've disabled the API, your attack surface is reduced—though updating remains critical.
Why Load Balancers Matter
Load balancers see all traffic flowing to backend applications. An attacker with root access to the appliance can:
- Intercept credentials and session tokens in transit
- Redirect traffic to malicious infrastructure
- Inject content into responses
- Pivot to backend systems using the load balancer's network position
- Disable or degrade service availability
Many organizations treat load balancers as appliances rather than servers, applying less rigorous patching and monitoring than they would to a typical Linux host. Attackers know this.
Recommended Actions
- Apply Progress firmware updates immediately - Patched versions are available
- Disable the API if not required - Reduces attack surface if updates can't be applied quickly
- Block the attacker IPs - Add the three exploitation source IPs to perimeter deny lists
- Monitor /accessv2 endpoint logs - Unusual requests indicate exploitation attempts
- Review network segmentation - Load balancers shouldn't have unrestricted access to backend infrastructure management interfaces
H-ISAC issued a TLP:WHITE bulletin on July 1 warning healthcare organizations specifically about this threat. The sector's reliance on application delivery controllers makes it a priority target.
If you run Kemp LoadMaster with the API enabled and haven't patched, assume you're being probed. The PoC is public, exploitation is active, and the time between disclosure and weaponization has collapsed to zero.
Related Articles
Progress ShareFile Flaws Chain to Pre-Auth RCE on 30,000 Servers
CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.
Apr 6, 2026Cursor AI Flaws Let Prompt Injection Escape Sandbox for RCE
Two CVSS 9.8 vulnerabilities in the popular AI code editor allow zero-click attacks where malicious instructions in external data sources execute arbitrary commands on developer machines.
Jul 3, 2026SharePoint RCE Under Active Exploitation, CISA Deadline July 4
CVE-2026-45659 lets authenticated attackers with basic Site Member permissions execute arbitrary code on SharePoint servers. CISA added it to KEV after confirming active exploitation.
Jul 3, 2026Adobe Patches 7 Max-Severity ColdFusion, Campaign Flaws
Seven CVSS 10.0 vulnerabilities in Adobe ColdFusion and Campaign Classic enable unauthenticated RCE. Adobe shifts to twice-monthly security bulletins citing AI-accelerated discovery.
Jul 2, 2026