ZeroPath at Black Hat USA 2026

Progress Kemp LoadMaster CVE-2026-8037: Brief Summary of a Critical Unauthenticated Command Injection

A brief summary of CVE-2026-8037, a critical unauthenticated OS command injection in the Progress Kemp LoadMaster API that allows remote code execution across multiple ADC product lines, along with vendor history and affected version details.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-04

Progress Kemp LoadMaster CVE-2026-8037: Brief Summary of a Critical Unauthenticated Command Injection
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated OS command injection in the Progress Kemp LoadMaster API gives remote attackers the ability to execute arbitrary commands on the appliance with zero credentials required, scoring a CVSS 9.8. This is the second time in roughly two years that an unauthenticated command injection has surfaced in the LoadMaster API, following CVE-2024-1212 discovered by Rhino Security Labs in early 2024, and it arrives just two months after Progress patched four authenticated command injection flaws in the same product line.

Progress Kemp LoadMaster is an application delivery controller (ADC) and load balancer product line that includes hardware, virtual, and cloud native deployments. Gartner lists it as the top alternative to F5 BIG-IP, and it serves organizations requiring Layer 4/7 load balancing, WAF, SSL offloading, and global server load balancing. Progress Software acquired Kemp Technologies for $258 million in 2021, integrating the LoadMaster product family into its broader infrastructure software portfolio.

Technical Information

Root Cause: Unsanitized Input in API Command Endpoints

CVE-2026-8037 is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). The vulnerability resides in the API of Progress ADC Products, where user supplied input across multiple command endpoints is not properly sanitized before being passed to OS command execution functions. Because no authentication is required to reach these endpoints, any attacker with network access to the LoadMaster management interface can inject arbitrary OS commands.

The CVSS v3.1 base score assigned by Progress is 9.8, with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The breakdown is as follows:

CVSS ComponentValueMeaning
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)LowNo specialized conditions required
Privileges Required (PR)NoneNo authentication needed
User Interaction (UI)NoneNo user action needed
Scope (S)UnchangedImpact confined to the vulnerable component
Confidentiality (C)HighComplete information disclosure
Integrity (I)HighComplete system modification possible
Availability (A)HighComplete denial of service possible

As of the June 4, 2026 NVD publication, the record was marked "Awaiting Enrichment," meaning the official NIST CVSS score had not yet been formally assigned. The 9.6 score referenced in some sources may reflect a different scoring methodology or version.

Historical Parallel: CVE-2024-1212

The exploitation pattern for CVE-2026-8037 is consistent with CVE-2024-1212, the prior unauthenticated command injection in LoadMaster. In that case, Rhino Security Labs demonstrated that the /access REST API endpoint processed user input through a binary that retrieved REMOTE_USER and REMOTE_PASS environment variables from the basic authentication header. These values were passed unsanitized through a __sprintf_chk() function and the resulting string was executed via a system() call. An attacker could break out of the intended command context by injecting a single quote and semicolon into the base64 encoded authorization string, achieving arbitrary command execution.

While the specific endpoints differ for CVE-2026-8037, the underlying mechanism is the same: unsanitized input being passed to OS command execution functions. The advisory's reference to "multiple command endpoints" confirms the pattern was more pervasive than what was addressed in prior patches.

Relationship to the April 2026 Vulnerability Cluster

CVE-2026-8037 represents a significant escalation from the April 2026 LoadMaster vulnerabilities. Those four flaws all required authenticated attackers with specific permission levels:

CVE IDPermission RequiredCommand EndpointCVSS
CVE-2026-3517Geo Administrationaddcountry7.2
CVE-2026-3518All permissionskillsession7.2
CVE-2026-3519VS Administrationaclcontrol7.2
CVE-2026-4048All permissionsCustom WAF rule file upload7.2

CVE-2026-8037 removes the authentication barrier entirely, jumping the CVSS from 7.2 to 9.8. The progression suggests the April 2026 patches addressed specific command endpoints but did not comprehensively audit the entire API surface for the same unsanitized input pattern.

Companion Vulnerability: CVE-2026-33691 (WAF Bypass)

The same June 2026 bulletin also addresses CVE-2026-33691, a high severity WAF bypass. This flaw occurs because the OWASP Core Rule Set (CRS) fails to normalize whitespace in filenames before applying file extension checking regular expressions. Specially crafted HTTP multipart requests containing encoded malicious payloads with whitespace padding in filenames can bypass WAF detection on the LoadMaster appliance.

The combination of a WAF bypass and an unauthenticated command injection in the same product creates a compounded risk scenario: an attacker could first evade WAF protections and then exploit the API command injection.

Impact of Compromise

Load balancers and ADCs occupy a privileged position in network architecture, sitting at the intersection of external traffic and internal application servers. Compromise of a LoadMaster appliance could allow an attacker to:

  • Intercept and manipulate traffic flowing through the load balancer
  • Pivot to backend application servers
  • Disrupt availability of all load balanced services
  • Extract SSL/TLS certificates and encryption keys
  • Modify WAF security policies to enable further attacks

Affected Systems and Versions

The vulnerability impacts four distinct product lines. The following table lists the vulnerable and fixed versions:

ProductVulnerable VersionsFixed Version
Progress Kemp LoadMaster GAv7.2.63.1 and all priorGA v7.2.63.2
Progress Kemp LoadMaster LTSFv7.2.54.17 and all priorLTSF v7.2.54.18
Progress ECS Connection Managerv7.2.63.1 and all priorv7.2.63.2
Progress Connection Manager for ObjectScalev7.2.63.1 and all priorv7.2.63.2

To verify the current firmware version, administrators can log into the web UI where the version string is displayed in the top right corner, or check the console output after booting the appliance.

Progress strongly recommends performing a firmware upgrade to the latest fixed version immediately. Customers on a current maintenance agreement can access the upgrade via the Progress Download Hub. Accompanying XML checksum verification files are available for integrity validation of the firmware images. Customers not on a current maintenance agreement should contact a Progress Sales Representative or their respective Partner to obtain the update.

The advisory does not document any workaround or compensating control as an alternative to patching. Restricting network access to the LoadMaster management API interface to trusted internal networks would reduce exposure but cannot be considered a complete mitigation.

Vendor Security History

Progress Software has accumulated a notable track record of critical security vulnerabilities across multiple product lines:

TimelineCVE(s)ProductAuth RequiredExploited in Wild
May 2023CVE-2023-34362MOVEit TransferNoYes (Clop/TA505)
Jan 2024CVE-2024-1212LoadMasterNoNot confirmed
Apr 2026CVE-2026-3517, 3518, 3519, 4048LoadMaster/MOVEit WAFYesNo
Apr 2026CVE-2026-21876MOVEit WAFN/A (WAF bypass)No
Apr 2026CVE-2026-4670MOVEit AutomationNo (auth bypass)Not confirmed
Jun 2026CVE-2026-8037LoadMasterNoNo (as of Jun 4)
Jun 2026CVE-2026-33691LoadMasterN/A (WAF bypass)No (as of Jun 4)

The most significant precedent is CVE-2023-34362 in MOVEit Transfer, which was mass exploited by the Clop ransomware group (TA505) beginning in May 2023, impacting thousands of organizations worldwide.

The recurrence of OS command injection flaws across multiple API endpoints in LoadMaster, spanning both authenticated (April 2026) and unauthenticated (CVE-2024-1212, CVE-2026-8037) attack surfaces, indicates a systemic deficiency in input sanitization practices across the LoadMaster API codebase. Two separate patch cycles in 2026 alone have addressed command injection in this product, and the June disclosure confirms the April patches did not comprehensively resolve the underlying pattern.

As of June 4, 2026, Progress reported no known exploitation or direct operational impact to customers from CVE-2026-8037. No CISA Known Exploited Vulnerabilities (KEV) catalog entry has been published. However, VulnCheck research from May 2026 found that among routinely targeted CVEs disclosed in 2026, most were not exploited at the time of disclosure but were subsequently used in the wild, illustrating that the window between disclosure and exploitation is typically short for vulnerabilities with these characteristics.

Organizations evaluating Progress products should factor this recurring vulnerability pattern into vendor risk assessments and demand evidence of systemic remediation beyond point patches.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization