Progress Kemp LoadMaster pre-auth command injection (CVE-2026-8037)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-8037 gives Progress Kemp LoadMaster with the API enabled a pre-auth command injection path that can run root commands on affected appliances. A patch is available, and Progress says it has no reports of exploitation so far. A working proof of concept is now public, raising the risk for exposed LoadMaster instances. Administrators should move to GA v7.2.63.2 or LTSF v7.2.54.18 and limit API reachability.
Related Happenings
Linux distributions mitigation advisories for CVE-2026-31431
Advisory/Mitigation
H score39
First: 30.04.2026 12:24
Last: 30.04.2026 12:24
Sources 1
About this happening:
Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...
Linux distributions mitigation advisories for CVE-2026-31431
Advisory/MitigationAbout this happening: Multiple **Linux distributions** released advisories for **CVE-2026-31431**, adding mitigation guidance for a **Linux kernel local privilege escalation** that can let an unprivile...
Timeline
-
29.06.2026 03:00 2 articles · 1d ago
watchTowr Labs publishes working proof of concept for LoadMaster root-command flaw
Technical Analysis UpdatewatchTowr Labs publishes a detailed exploit-chain analysis and working proof of concept for CVE-2026-8037, showing how crafted JSON requests to the /accessv2 endpoint can execute commands as root on LoadMaster.
Show sources
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth — thehackernews.com — 30.06.2026 10:38
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth — thehackernews.com — 30.06.2026 10:38
-
09.06.2026 03:00 1 articles · 21d ago
ZDI coordinates public advisory for CVE-2026-8037
Industry Or Public Sector UpdateZDI coordinates the public advisory release for CVE-2026-8037, broadening notice of the LoadMaster pre-auth command-injection risk to defenders and administrators.
Show sources
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth — thehackernews.com — 30.06.2026 10:38
-
04.06.2026 03:00 1 articles · 26d ago
Progress publishes LoadMaster advisory and fixed versions for CVE-2026-8037
Mitigation Patch UpdateProgress publishes its advisory for CVE-2026-8037, says it has not received exploitation reports, and releases fixed LoadMaster versions GA v7.2.63.2 and LTSF v7.2.54.18 for appliances with the API enabled.
Show sources
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth — thehackernews.com — 30.06.2026 10:38
-
15.04.2026 03:00 1 articles · 2mo ago
Researcher reports LoadMaster command-injection flaw through ZDI
Initial DisclosureA TrendAI Research researcher reports CVE-2026-8037 in Progress Kemp LoadMaster through the Zero Day Initiative, identifying a pre-auth API flaw that can let an unauthenticated attacker execute commands as root on affected appliances.
Show sources
- Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth — thehackernews.com — 30.06.2026 10:38