Progress Kemp LoadMaster CVE-2026-8037 pre-auth RCE

Summary

CVE-2026-8037 is a pre-authentication remote-code-execution vulnerability in Progress Kemp LoadMaster when the API is enabled. Progress disclosed the issue in a June 2026 LoadMaster security bulletin; watchTowr Labs published a technical analysis on June 29, 2026 showing how the bug can be driven through the /accessv2 API endpoint.

watchTowr describes the flaw as an uninitialized-memory bug in LoadMaster's API credential handling, not a simple shell metacharacter escaping miss. An unauthenticated request can use the apiuser field, JSON heap spraying, and adjacent uninitialized heap content to smuggle a command-injection payload into the command constructed by the access executable.

Tags

• ops
• operations
• vulnerability
• edge appliance
• Progress Kemp LoadMaster
• Kemp LoadMaster
• CVE-2026-8037
• CVE-2026-33691
• pre-auth RCE
• unauthenticated RCE
• command injection
• uninitialized heap memory
• load balancer
• application delivery controller
• API exposure
• /accessv2
• watchTowr
• internet-facing appliance
• incident response

Why this matters

• Load balancers and application delivery controllers often sit at the network edge and terminate high-value application traffic; compromise can become an ingress, credential, traffic-inspection, or pivot point.
• The exploit path is reachable before authentication when the API is enabled, so internet-exposed or partner-exposed management/API surfaces deserve emergency review.
• watchTowr's analysis includes enough exploit mechanics to make defender exposure reduction urgent even if no public mass exploitation has been confirmed.
• Appliance compromise routinely has weak endpoint telemetry. Treat exposed vulnerable LoadMaster systems as incident-response objects, not just patching tickets.

Public vulnerability detail

• Product: Progress Kemp LoadMaster load balancer / application delivery controller.
• Vulnerability: CVE-2026-8037, described by Progress as a command-injection remote-code-execution issue and by watchTowr as an apiuser uninitialized-memory path to command injection.
• Companion bulletin item: Progress's June 2026 bulletin title also references CVE-2026-33691; keep both CVEs in asset and ticket searches until vendor-specific applicability is confirmed.
• Access requirement: remote, unauthenticated access to the LoadMaster API when the API is enabled.
• Affected versions named by watchTowr: Kemp LoadMaster GA v7.2.63.1 and older; Kemp LoadMaster LTSF v7.2.54.17 and older.
• Patched version diffed by watchTowr: GA v7.2.63.2; use the Progress bulletin as source of truth for branch-specific fixed versions and upgrade paths.
• Endpoint discussed publicly: POST /accessv2 with JSON fields including cmd, apiuser, and apipass.
• Exploit mechanics in public analysis: single-quote expansion in apiuser, a missing null terminator / uninitialized heap read condition, heap spraying through additional JSON key/value pairs, and command injection after adjacent heap placement.

Defender heuristics

1. Inventory Progress Kemp LoadMaster deployments, including virtual appliances, cloud images, disaster-recovery instances, partner-accessible systems, and management/API interfaces behind reverse proxies.
2. Determine whether the API is enabled. If API access is enabled on GA v7.2.63.1 or older, or LTSF v7.2.54.17 or older, treat the system as an emergency patch and exposure-reduction candidate.
3. Apply Progress's June 2026 LoadMaster fixes or the appropriate later fixed branch. If patching cannot be immediate, restrict API and management access to a tightly scoped administrative network or VPN allow-list.
4. Preserve appliance, reverse-proxy, VPN, WAF, firewall, and load-balancer logs before rebooting or rebuilding, especially request logs for /accessv2.
5. Hunt for unauthenticated or anomalous POST /accessv2 requests, JSON bodies with unusual apiuser values, many additional JSON keys, quote-heavy strings, command separators, shell fragments, or repeated malformed API calls.
6. Review appliance configuration, virtual service definitions, certificate stores, local users, API users, admin sessions, backups, and recently changed health checks or scripts.
7. Check for outbound connections, unexpected DNS lookups, file writes, cron or startup persistence, new accounts, web shells, altered firmware/package state, or tampered logs on the appliance and adjacent management hosts.
8. Rotate credentials and certificates accessible to the LoadMaster after containment, including API credentials, local admin passwords, private keys, upstream service credentials, and any secrets stored in virtual-service configuration.
9. For internet-facing deployments, consider threat-hunting the downstream application environment for traffic replay, credential capture, injected headers, or route/configuration changes during the exposure window.

Related pages

• Check Point VPN CVE-2026-50751 exploitation
• Splunk Enterprise CVE-2026-20253 pre-auth file write / RCE
• Ivanti Sentry CVE-2026-10520 exploitation
• cPanel CVE-2026-41940 backdoor campaign

Sources

• watchTowr Labs: https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/
• Progress LoadMaster June 2026 security bulletin: https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691