PROBABLYPWNED
VulnerabilitiesJuly 3, 20263 min read

Kemp LoadMaster Pre-Auth RCE Exploited Days After PoC Release

CVE-2026-8037 lets unauthenticated attackers execute root-level commands on Progress Kemp LoadMaster appliances. Exploitation attempts started June 29, same day as PoC publication.

Marcus Chen

Exploitation attempts against Progress Kemp LoadMaster appliances began June 29—the same day watchTowr Labs published proof-of-concept code. The vulnerability, CVE-2026-8037, allows unauthenticated remote code execution with root privileges. eSentire's Threat Response Unit is tracking active campaigns, though no successful compromises have been confirmed yet.

The flaw carries a CVSS score of 9.6, reflecting the combination of no authentication requirement, remote attack vector, and root-level impact. Load balancers sit at network chokepoints, handling traffic for critical applications—compromising one gives attackers a privileged position for interception, redirection, or lateral movement.

The Vulnerability

CVE-2026-8037 stems from improper input handling in a function called escape_quotes(). According to watchTowr's analysis, the function failed to properly null-terminate sanitized strings, leading to an out-of-bounds read into adjacent heap memory.

Attackers exploit this by sending crafted requests to the /accessv2 endpoint. The memory corruption enables command injection, allowing arbitrary commands to execute on the appliance without valid credentials.

Exploitation Activity

eSentire observed exploitation attempts originating from three IP addresses:

  • 192.42.116[.]58
  • 192.42.116[.]105
  • 146.70.139[.]154

The timing is notable: PoC publication and exploitation attempts began on the same day. Attackers are clearly monitoring security research outputs and weaponizing disclosures within hours. This matches patterns we've seen with Cisco SD-WAN zero-days and SimpleHelp CVE-2026-48558 earlier this week.

Affected Versions

The vulnerability impacts:

  • Kemp LoadMaster GA version 7.2.63.1 and older
  • LTSF version 7.2.54.17 and older

Crucially, the flaw only affects devices where the API feature is enabled. If you've disabled the API, your attack surface is reduced—though updating remains critical.

Why Load Balancers Matter

Load balancers see all traffic flowing to backend applications. An attacker with root access to the appliance can:

  • Intercept credentials and session tokens in transit
  • Redirect traffic to malicious infrastructure
  • Inject content into responses
  • Pivot to backend systems using the load balancer's network position
  • Disable or degrade service availability

Many organizations treat load balancers as appliances rather than servers, applying less rigorous patching and monitoring than they would to a typical Linux host. Attackers know this.

Recommended Actions

  1. Apply Progress firmware updates immediately - Patched versions are available
  2. Disable the API if not required - Reduces attack surface if updates can't be applied quickly
  3. Block the attacker IPs - Add the three exploitation source IPs to perimeter deny lists
  4. Monitor /accessv2 endpoint logs - Unusual requests indicate exploitation attempts
  5. Review network segmentation - Load balancers shouldn't have unrestricted access to backend infrastructure management interfaces

H-ISAC issued a TLP:WHITE bulletin on July 1 warning healthcare organizations specifically about this threat. The sector's reliance on application delivery controllers makes it a priority target.

If you run Kemp LoadMaster with the API enabled and haven't patched, assume you're being probed. The PoC is public, exploitation is active, and the time between disclosure and weaponization has collapsed to zero.

Related Articles