Active Exploitation Attempts Target Progress Kemp LoadMaster RCE Flaw
Security researchers are warning that a newly disclosed critical vulnerability in Progress Kemp LoadMaster is already drawing attack attempts in the wild. According to eSentire’s Threat Response Unit...
Security researchers are warning that a newly disclosed critical vulnerability in Progress Kemp LoadMaster is already drawing attack attempts in the wild. According to eSentire’s Threat Response Unit (TRU), activity targeting CVE-2026-8037 began on June 29, 2026.
The issue carries a CVSS score of 9.6 and involves an operating system command injection weakness in the LoadMaster API. If successful, the flaw could let an unauthenticated attacker execute arbitrary commands on an exposed appliance. Progress described the bug as a case of unsanitized input being processed in a way that could permit remote code execution.
How the flaw works
In a technical breakdown, watchTowr Labs said the problem appears to stem from a function called escape_quotes() that does not properly terminate sanitized strings. That mistake can trigger an out-of-bounds read into nearby heap memory. With carefully crafted requests to the /accessv2 endpoint, an attacker may be able to shape memory contents in a way that leads to command injection.
While the attempted intrusions observed by eSentire did not succeed and no post-compromise activity was seen, the researchers cautioned that the publication of proof-of-concept exploit details could increase the odds of follow-on attacks.
Observed source addresses
- 192.42.116[.]58
- 192.42.116[.]105
- 146.70.139[.]154
Organizations using LoadMaster should review exposure immediately, apply vendor guidance as soon as possible, and restrict access to management interfaces where feasible. Even failed exploit attempts can be a sign that threat actors are probing for vulnerable deployments before wider weaponization occurs.
CVE-2026-8037 is the second Progress Kemp LoadMaster command-injection flaw to attract active exploitation attention, following CVE-2024-1212, another critical issue that previously enabled arbitrary command execution.
