Progress’s Kemp LoadMaster, a widely deployed edge load balancer and ADC, is at the center of a critical pre-authentication Remote Code Execution (RCE) vulnerability tracked as CVE-2026-8037.
The flaw allows unauthenticated attackers with access to the device API to run arbitrary shell commands by exploiting an uninitialized-memory/string-termination bug in LoadMaster’s API handling.
Given LoadMaster’s position on the network edge, successful exploitation can convert what should be a protective choke point into a complete network foothold.
Kemp LoadMaster provides Layer 4/7 traffic distribution, SSL/TLS offload, health checking and an embedded WAF. Progress published a security bulletin on June 4, 2026 detailing a “Command Injection Remote Code Execution Vulnerability” and an associated advisory (see Progress bulletin).
The issue affects GA v7.2.63.1 and earlier and LTSF v7.2.54.17 and earlier when the API is enabled. The vulnerability was responsibly disclosed by Syed Ibrahim Ahmed of TrendAI Research and documented as a ZDI advisory (ZDI-26-342).
The vulnerable code path lives in the API endpoint that validates credentials sent to /accessv2. LoadMaster uses an escape_quotes() helper to sanitize values placed inside single-quoted shell arguments.
That function scans input for single quotes and, when present, allocates a new heap buffer and replaces each single quote with the four-byte shell-safe sequence ”’.
Kemp LoadMaster is a load balancer and application delivery controller (ADC) that distributes incoming network traffic across multiple servers to keep applications available, responsive, and scalable.
CVE-2026-8037 is not a classic input-sanitization mistake; it arises from a subtle combination of heap semantics and a string-escaping implementation that failed to terminate its output Labs said.
Progress Kemp LoadMaster Vulnerability
Two implementation defects made this dangerous. First, the unpatched escape_quotes() used malloc(), leaving the newly allocated buffer uninitialized.
Second, the function neglected to write a null terminator after generating the escaped string. When the escaped pointer is subsequently used in a sprintf/ system() chain to build a validuser command line, the missing terminator allows sprintf to read past the intended buffer and continue into adjacent heap memory.
Because malloc can return previously freed chunks that still contain controlled data, an attacker can heap-spray a command fragment into a neighboring chunk.
The exploit technique leverages the escaping logic itself to overwrite allocator metadata: four single quotes in the apiuser field expand into exactly 16 bytes of escaped data, which can clobber the first sixteen bytes of the next chunk (where allocator metadata would otherwise introduce null bytes and stop the read).
By spraying many JSON parameters, the attacker increases the probability that a crafted payload chunk sits adjacent to the escaped apiuser chunk.
The result: sprintf reads into the sprayed data and assembles a command line containing attacker-controlled content, which is then executed via system(), yielding pre-auth RCE.
This vulnerability is powerful because it requires only API access (no authentication) and no straightforward injection syntax: the exploit relies on allocator behavior, precise heap layout, and a clever use of the target’s own escaping routine.
Mitigations and detection are straightforward: Progress released patches that change allocation to calloc and explicitly write a terminating NUL, preventing out-of-bounds reads; administrators should apply vendor updates immediately.
Where patching is not yet possible, disabling the management API from untrusted networks and restricting access via network ACLs, VPNs, or jump hosts reduces exposure.
Monitor for unusual validuser system calls, abnormal process creation, and unexpected outgoing connections from LoadMaster appliances.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
