Skip to content

Progress LoadMaster CVE-2026-8037: pre-auth root RCE, PoC-ready diff

Progress patches an unauth pre-auth command-injection RCE in Kemp LoadMaster. CVSS 9.8. GA 7.2.63.2 and LTSF 7.2.54.18 ship the fix; watchTowr posted the full chain on June 29.

Published 5 min read

Progress has patched CVE-2026-8037, an unauthenticated pre-auth command-injection RCE that lets a remote attacker run arbitrary commands as root on a Kemp LoadMaster appliance whose API is enabled. The primary advisory is the Progress LoadMaster critical security bulletin for June 2026, first published June 4. On June 29, watchTowr Labs published the full technical walk-through and exploit chain. ZDI scored the flaw 9.8. Progress says it has no reports of exploitation. The clock started on June 29.

Affected versions

Per the Progress bulletin:

  • LoadMaster GA7.2.63.1 and earlier.
  • LoadMaster LTSF7.2.54.17 and earlier.
  • Also affected: ECS Connection Manager, Object Scale Connection Manager, and the MOVEit WAF module — all share the vulnerable component.

The vulnerability is only reachable when the management API is enabled on the appliance. Deployments that never turned the API on are not exposed via this CVE — though most LoadMaster installations in production do run the API for automation.

Fixed in GA 7.2.63.2 and LTSF 7.2.54.18. The Canadian Centre for Cyber Security relayed the guidance as AV26-552.

What the bug does

The flaw is in escape_quotes(), the routine that sanitises user input before it is spliced into a shell command line built with sprintf and passed to system(). Two defects compose:

  1. The output buffer is allocated with malloc and never zeroed, so it starts populated with whatever the heap allocator hands out.
  2. The routine writes the escaped bytes but omits the trailing null terminator.

The downstream sprintf therefore reads past the escaped payload and pulls whatever adjacent heap bytes happen to sit after it into the final command string. Because malloc frequently returns previously freed chunks whose contents remain in place, an attacker who can shape the heap — for example, by placing a controlled command fragment in a chunk that malloc will hand back next — can splice that fragment into the command line that system() ends up executing.

Progress's fix in 7.2.63.2 / 7.2.54.18 switches the allocation to calloc (zero-filled) and adds the missing null terminator. Both changes are necessary; either alone leaves the OOB read exploitable in the general case.

The diff between 7.2.63.1 and 7.2.63.2 is small and the vulnerable function is named. Anyone reversing the patched image against the vulnerable one has enough to write a PoC in an afternoon. watchTowr's walk-through gives them the heap-spray primitive to save the reversing time.

Exploitation status

Progress says it has not received any reports of exploitation as of the June 4 advisory. watchTowr's write-up on June 29 does not include a runnable PoC in the post but describes the exploit chain in enough detail to reconstruct one, and the vendor's own diff points at the same function. There is no CISA KEV listing yet.

The bundle also carries CVE-2026-33691, a WAF filename-check bypass where whitespace padding in a filename evades the upload extension filter. Same advisory, same patched builds — less severe on its own, but worth patching in the same window.

Action checklist

  1. Upgrade LoadMaster to 7.2.63.2 (GA) or 7.2.54.18 (LTSF) this week. The vendor bulletin ships both artifacts and the LTSF build for regulated estates that cannot ride the GA channel.
  2. If you cannot patch this week, disable the LoadMaster API on internet-exposed appliances. The vulnerability is only reachable when the API is on. Turning it off breaks automation but closes the exposure until the point release lands.
  3. Bind the API to a management VLAN. Even after patching, exposing the LoadMaster API to the public internet has never been a good idea. Restrict TCP 443 API access to an admin subnet at the firewall in front of the appliance.
  4. Audit ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF too. They share the vulnerable component and are covered by the same bulletin. Patch inventory tooling that scopes only "LoadMaster" will miss them.
  5. Hunt for exploitation now. Review LoadMaster access logs and the appliance's messages/syslog for unexpected system() invocations, sudden root shells, and API calls from unfamiliar source IPs since June 4. The window in which an attacker could have staged before the technical write-up went public is short but not zero.

Context

Load balancers keep landing on the front of KEV-track advisories for the same reason RMM servers do: they sit inside the trust boundary of every service they front, they run as root, and their management planes are usually reachable from more of the internet than their owners think. Progress LoadMaster now joins the sequence that includes Ubiquiti UniFi OS CVE-2026-34908 and the Cisco Unified CM CVE-2026-20230 webshell chain — critical-class management-plane bugs in appliance software where the patch is the only durable control.

The CVSS-9.8 pre-auth root RCE with a small, named diff is the class of bug that opportunistic scanners weaponise fastest. Progress's "no reports of exploitation" is a snapshot dated June 4; it is not a forecast. Patch this week.

Related stories