A critical bug in Progress Kemp LoadMaster lets an unauthenticated attacker run commands on the appliance, the kind of edge device that usually sits at the front door of a corporate network. Tracked as CVE-2026-8037, the flaw is a pre-authentication remote code execution (RCE) issue, meaning anyone who can reach the product's management API can trigger it without a username or password.
Kemp LoadMaster is a load balancer and application delivery controller made by Progress, the same vendor behind the MOVEit file-transfer software that drove one of 2023's largest data-theft sprees. Load balancers distribute incoming traffic across servers and often terminate SSL/TLS, so they are exposed by design and make an attractive foothold. As researchers at watchTowr Labs put it, edge appliances "have a habit of becoming the way in rather than the thing keeping people out."
What's affected
Progress disclosed the command-injection RCE in an advisory on June 4 and shipped a fix. The vulnerability affects Kemp LoadMaster GA version 7.2.63.1 and earlier, and LTSF version 7.2.54.17 and earlier, on systems where the API is enabled. If the API is turned off, the attack surface for this specific bug is not exposed.
How the attack works
Researcher Sina Kheirkhah (@SinSinology) of watchTowr Labs reverse-engineered the patch and found it touched a single function, escape_quotes(), which is supposed to make user-supplied text safe before it is dropped into a shell command. In the vulnerable build that function allocated an uninitialized memory buffer and, in some cases, failed to null-terminate the resulting string. That combination lets attacker-controlled data run past its intended boundary, which the researchers traced through to command execution. The patch simply zero-fills the buffer and writes the missing terminator, closing the hole.
watchTowr published the full teardown in the original report. The firm has a track record of turning vendor patch diffs into public exploitation know-how quickly, so defenders should assume the details needed to attack unpatched devices are now in the open.
What you should do
Update Kemp LoadMaster to version 7.2.63.2 or later, or the corresponding fixed LTSF build, without delay. If you cannot patch immediately, disable the API or restrict it to trusted management networks, and keep the appliance's web interface off the public internet. Edge devices like this have repeatedly been the entry point for both ransomware crews and state-backed intruders, a pattern we saw when attackers bypassed authentication on Palo Alto GlobalProtect VPNs and when CISA flagged Cisco and PTC bugs as actively exploited. A similar pre-authentication memory bug surfaced earlier this month in the xrdp remote desktop server.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.