Progress Kemp LoadMaster Pre-Auth RCE via Uninitialized Heap Buffer
Critical vulnerability CVE-2026-8037 in LoadMaster API allows unauthenticated attackers to execute arbitrary commands as root through a malformed request exploiting missing null terminator in escape_quotes() function.
Attack Brief
TargetProgress Kemp LoadMasterVectorPre-authentication remote code execution via uninitialized heap buffer and missing null terminator in input sanitization functionAttributionSyed Ibrahim Ahmed of TrendAI Research; independently analyzed by watchTowr Labs
Technical Details
CVE IDsCVE-2026-8037CVE-2026-33691MITRE ATT&CKT1190T1059AffectedLoadMaster GA v7.2.63.1 and older; LTSF v7.2.54.17 and older (when API enabled)
Impact
Confirmed DamageNo confirmed exploitation reported as of advisory date; vulnerability allows arbitrary command execution as root on appliance
Mitigation
PatchesLoadMaster GA v7.2.63.2LoadMaster LTSF v7.2.54.18DetectionMonitor /accessv2 endpoint for malformed JSON requests with excessive key-value pairs and specially crafted apiuser values
Context
Previous CampaignsCVE-2024-1212 (CVSS 10.0) added to CISA KEV catalog in November 2024 after confirmed active exploitation; April 2026 patch addressed five additional high-severity LoadMaster flaws