ACTIVE EXPLOITATION · CVE-2026-8037

Kemp LoadMaster Pre-Auth RCE Under Active Attack

Patch CVE-2026-8037 Now

Matt Lucas  |  July 1, 2026  |  5 min
Kemp LoadMaster Pre-Auth RCE Under Active Attack — editorial hero illustration
9.6
CVSS score
Pre-auth RCE
Jun 29, 2026
Exploitation began
3
Attacker source IPs
TL;DR
  • What: Attackers are actively probing Progress Kemp LoadMaster appliances for CVE-2026-8037, a CVSS 9.6 pre-auth OS command injection flaw at the /accessv2 API endpoint.
  • Impact: Successful exploitation gives an unauthenticated attacker arbitrary command execution on the load balancer, a device that sits inline in front of critical application traffic.
  • Fix / mitigation: Apply the Progress LoadMaster update released in June 2026 that fixes CVE-2026-8037, and restrict management API access to trusted networks.
  • Who's at risk: Any organization running an internet-exposed or broadly reachable Progress Kemp LoadMaster appliance.

Attackers started hitting Progress Kemp LoadMaster load balancers on June 29, 2026, according to eSentire's Threat Response Unit (TRU). The target is CVE-2026-8037, a CVSS 9.6 OS command injection flaw that lets an unauthenticated attacker run arbitrary commands on the appliance. This is a network chokepoint device sitting inline in front of application traffic, so a compromise here is a foothold with reach.

The observed attempts failed, and eSentire reported no post-compromise activity. That is the good news and it is temporary. watchTowr Labs published a detailed technical analysis this week, and a proof-of-concept exploit is circulating. Failed probes from three IPs are the opening move, not the whole game. Treat the current lull as the patch window, because it is closing.

What the flaw actually is

Progress disclosed the vulnerability in early June 2026: an OS command injection in the LoadMaster API that lets an unauthenticated attacker execute arbitrary commands by exploiting unsanitized input. watchTowr traced the root cause to a function named escape_quotes() in the load balancer application. The function failed to properly null-terminate sanitized strings, producing an out-of-bounds read into adjacent heap memory.

From there an attacker sends specially crafted requests to the /accessv2 endpoint that manipulate heap memory to trigger command injection. No credentials required. The bug is a memory-handling mistake in input sanitization that cascades into full command execution, which is why the CVSS score lands at 9.6.

Block these source IPs now

eSentire attributes the exploitation attempts to 192.42.116.58, 192.42.116.105, and 146.70.139.154. Block them at the perimeter and hunt for prior connections to /accessv2 from these hosts, but do not treat blocklisting as remediation. New infrastructure will follow the public PoC.

Why this device matters

A load balancer is not an endpoint you can quietly reimage. It terminates and routes traffic for the applications behind it, often with visibility into internal network segments and inline access to session data. Arbitrary command execution on a LoadMaster gives an attacker a persistent, high-trust position for pivoting, traffic interception, and lateral movement. Appliances like this are also frequently internet-facing by design and under-monitored compared to servers.

Not the first time

CVE-2026-8037 is the second Progress Kemp LoadMaster flaw to draw active exploitation. The first was CVE-2024-1212, a CVSS 10.0 OS command injection that also allowed arbitrary system command execution. Two critical command-injection bugs in the same product line, both exploited in the wild, is a pattern. If you run LoadMaster, assume the management API is a priority target and architect access accordingly.

What to do now

Bottom line

Exploitation is early and currently failing, but a public PoC plus a full technical writeup means the barrier to reliable exploitation is dropping this week. Patch now, lock down API exposure, and hunt back to June 29. Do not wait for a successful compromise to prove the risk.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us