CVE-2026-8037 - Progress Kemp LoadMaster API command injection RCE
CVE-2026-8037 + Progress Kemp LoadMaster API command injection RCE + Critical + 2026-06-04
One-sentence business risk
A reachable LoadMaster management/API endpoint can become root command execution on the edge load balancer, giving attackers a direct path into production traffic and credentials.
Research notes
- Root cause: Progress ADC API/UI command handlers pass user-controlled parameters into appliance shell commands after incomplete escaping.
- Affected versions: Progress Kemp LoadMaster GA v7.2.63.1 and prior, LTSF v7.2.54.17 and prior; related Progress ADC products should be checked against the Progress bulletin.
- Fixed / safe versions: LMOS 7.2.63.2 or 7.2.54.18, or the later Progress-recommended release for the deployed branch.
- Public exploit / PoC signal: watchTowr published a technical exploit chain on June 30, 2026; public discussion is active.
- CVSS: 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Exact vulnerable code pattern
// Appliance/API handler shape: escaping is not a security boundary.
const char *key = http_param(req, "key");
char escaped[512];
escape_quotes(key, escaped, sizeof(escaped));
char cmd[1024];
snprintf(cmd, sizeof(cmd), "/usr/local/bin/lmctl set-key '%s'", escaped);
system(cmd); // attacker-controlled shell metacharacters can still reach root command execution
Fixed / mitigated code pattern
const char *key = http_param(req, "key");
if (!regex_match(key, "^[A-Za-z0-9_.:-]{1,128}$")) {
return http_error(400, "invalid key");
}
char *const argv[] = {"/usr/local/bin/lmctl", "set-key", (char *)key, NULL};
execve(argv[0], argv, locked_down_envp); // no shell, no quoting parser, fixed argv boundary
Gateway hardening:
location ~* ^/(access|api|progs|forms|xml|json) {
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
if ($args ~* '(%3b|;|%26|&|%7c|\||%60|`|\$\(|\.\./)') {
return 403;
}
Step-by-step integration guide
- Inventory every Progress Kemp LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF appliance; record LMOS branch and whether API/UI management is internet, partner, or admin-network reachable.
- Upgrade LoadMaster GA to LMOS 7.2.63.2 or later, or LTSF to 7.2.54.18 or later, following the Progress critical security bulletin.
- Restrict management/API/UI exposure to dedicated admin VPN/CIDRs before the upgrade if any endpoint is externally reachable.
- Search custom automation, ADC templates, and reverse-proxy wrappers for shell-built commands using request parameters such as
key; replace shell execution with fixed-argv process execution and strict allowlists. - Add a regression test that sends shell metacharacters in every API parameter consumed by management commands and verifies a 400/403 response without process execution.
- After upgrade, review appliance logs, upstream WAF logs, and NetFlow for suspicious POSTs to management/API paths, then rotate API credentials and admin passwords.
Alternative mitigations
- Disable public API/UI management and require VPN plus MFA for all LoadMaster administration.
- Block requests containing shell metacharacters, command substitutions, traversal tokens, or encoded separators in API/UI query strings and bodies.
- Place LoadMaster management on a separate management VLAN with no inbound route from production or the internet.
- If patching is delayed, snapshot configuration, deploy a replacement appliance on a fixed LMOS branch, and cut traffic over rather than leaving the vulnerable management plane exposed.
Detection signature
id: cve-2026-8037-progress-kemp-loadmaster-api-command-injection
source: Progress, ZDI, watchTowr, THN, Reddit r/netsec
package_or_product: "Progress Kemp LoadMaster / Progress ADC"
affected: "GA v7.2.63.1 and prior; LTSF v7.2.54.17 and prior"
fixed: "LMOS 7.2.63.2 / 7.2.54.18 or later"
cvss: "9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
signals:
- "HTTP request to LoadMaster API/UI containing ; & | ` $() ../ or percent-encoded equivalents"
- "unexpected root shell, wget, curl, nc, python, perl, or busybox process on appliance"
- "management/API access from non-admin CIDR"
- "configuration changes followed by outbound callbacks"
action: "upgrade LMOS, isolate management, block exploit metacharacters, and rotate ADC credentials"
Copy-paste skill
You are remediating CVE-2026-8037 for Progress Kemp LoadMaster or a related Progress ADC product.
Produce a reviewer-ready PR, appliance change plan, or TRIAGE.md. Inventory all LoadMaster/ADC appliances and versions. Upgrade vulnerable GA v7.2.63.1 and prior to LMOS 7.2.63.2 or later, and vulnerable LTSF v7.2.54.17 and prior to LMOS 7.2.54.18 or later. Restrict API/UI management to VPN/admin CIDRs, block command metacharacters at the edge, review automation for shell-built commands, replace shell execution with fixed argv execution, add metacharacter rejection tests, and hunt appliance logs for suspicious API POSTs before rotating credentials.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2026-8037,Progress Kemp LoadMaster,command-injection,pre-auth-rce,edge-appliance. - Affected tech stack:
network-appliance/c,load-balancer,adc. - Revenue tags:
sellable_to_fintech,enterprise_blocker,zero_day_gold.
References
- https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
- https://docs.progress.com/bundle/loadmaster-vulnerabilities-ga/page/Vulnerabilities.html
- https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/
- https://www.zerodayinitiative.com/advisories/ZDI-26-318/
- https://thehackernews.com/2026/06/progress-kemp-loadmaster-flaw-could-let.html
- https://github.com/advisories/GHSA-57pc-jm9r-hgj4
- https://www.reddit.com/r/netsec/comments/1uj2a4w/enterprise_tech_in_shell_out_progress_kemp/