Skip to content
feed: live about
>_ 0dayNews
progress

Kemp LoadMaster pre-auth RCE (CVE-2026-8037): PoC is out, patch now

A functional proof-of-concept for a critical pre-auth RCE in Progress Kemp LoadMaster hit the internet on June 29 and eSentire started seeing exploitation attempts the same day. Progress's fix has been available since June 4.

Marisol "Fuse" Delgado · Published · 3 min read

If you run Progress Kemp LoadMaster and you haven’t applied the June 4 update, that’s the priority for this week. CVE-2026-8037 is a critical (CVSS 9.6) unauthenticated OS-command-injection flaw in LoadMaster’s HTTP management surface. Working proof-of-concept code was published on June 29, and eSentire’s Threat Response Unit began observing exploitation attempts against monitored instances the same day. That is the honest timeline: patch on June 4, PoC on June 29, attempts on June 29.

The attempts eSentire watched didn’t succeed — no post-compromise activity followed the observed probing — but “the ones we watched failed” is not a defense strategy. Once a working PoC is on the internet, the exploitation curve broadens from targeted intrusion teams to anyone with a shodan query and a weekend.

What changed

Two things.

First, Progress moved from “patched vulnerability” to “patched vulnerability with public exploit code” on June 29. Progress’s June 2026 security bulletin covers CVE-2026-8037 and a second flaw, CVE-2026-33691, in the same release. The Hacker News reported on July 1 that the PoC and the exploitation attempts followed within hours of each other.

Second, eSentire’s TRU confirmed the attempts as real, not theoretical. That’s the transition from “critical CVE, unknown activity” to “critical CVE, known active targeting.”

What to actually do

Priority one, patch this week:

  • LoadMaster GA branch — upgrade to 7.2.63.2 (fixed) from 7.2.63.1 or earlier.
  • LoadMaster LTSF branch — upgrade to 7.2.54.18 (fixed) from 7.2.54.17 or earlier.
  • Both fixed versions have been available since Progress’s June 4 bulletin. There’s no version-jump surprise, no rollback risk unique to this release beyond the normal load-balancer change control.

If your LoadMaster’s HTTP management interface is reachable from the internet at all, patching this week is not optional. LoadMaster’s HTTP management surface is the same category of appliance edge that made Citrix Bleed, Ivanti Connect Secure, and F5 BIG-IP iControl REST household names in the last three years — an internet-exposed management plane on a device that terminates TLS for everything behind it.

Before you patch, if you can’t do it today:

  • Restrict the LoadMaster management interface to a management VLAN or a VPN — full stop, not a “temporary” ACL that ends up in production for two years. Kemp’s own hardening guidance has said this for years; a public PoC is the point at which “the default deployment” stops being defensible.
  • If the appliance genuinely must be reachable from the internet (it shouldn’t be), rate-limit and monitor the management endpoints for a spike in probe traffic. eSentire published attacker source IPs in its advisory — treat those as an early-warning IOC list, not a complete one.

After you patch:

  • Rotate any credentials stored on the LoadMaster — backend server credentials, WAF/API key material, SSL/TLS keys if there’s any doubt they were exportable. Pre-auth RCE with root on the appliance means anything the appliance could reach or hold, an attacker could too.
  • Review logs for the last 30 days: unexpected HTTP requests to /accessv2 from unknown source addresses, unusual configuration changes, new admin sessions from unfamiliar geolocations. Fold the eSentire IPs into your SIEM’s watchlist.
  • Confirm your LoadMaster is logging somewhere off-appliance. Log tampering is the first thing an attacker with root would reach for.

Priority call

If you’re triaging Monday morning: this comes ahead of most Patch-Tuesday follow-up work. Not because it’s newer than the SharePoint KEV listing — SharePoint is on KEV, this isn’t yet — but because CISA’s KEV bar is “confirmed successful in-the-wild exploitation.” Failed attempts on a monitored appliance don’t clear it. The exploitation curve on public-PoC pre-auth appliance RCE doesn’t wait for CISA’s paperwork.

Patch first, then watch for the KEV addition to come whether the specific incident that triggers it belongs to you or somebody else.

Sourcing

Found this useful? Share it.