Progress Kemp LoadMaster pre-auth OS command injection RCE
A critical (CVSS 9.6) OS command injection flaw in Progress Kemp LoadMaster that allows an unauthenticated attacker with network access to the appliance to execute arbitrary commands on the underlying operating system. Patched by Progress on June 4, 2026; functional proof-of-concept published and active exploitation attempts observed by eSentire's Threat Response Unit on June 29, 2026.
- Vendor
- Progress Software
- Product
- Kemp LoadMaster (GA and LTSF branches)
- CVSS
- 9.6
- Status
- exploited-in-wild
- Published
CVE-2026-8037 is a critical, unauthenticated OS-command-injection flaw in Progress Kemp LoadMaster, the load balancer / application delivery controller that historically shipped under the Kemp brand and is now maintained by Progress Software. The vulnerability lives in the appliance’s HTTP management surface and allows a remote attacker with network reachability to run arbitrary commands on the appliance without valid credentials. Progress rates the flaw CVSS 9.6.
Affected and fixed versions
Per Progress’s June 4, 2026 security bulletin and eSentire’s public advisory:
- General Availability (GA): 7.2.63.1 and earlier — fixed in 7.2.63.2
- Long-Term Support Feature (LTSF): 7.2.54.17 and earlier — fixed in 7.2.54.18
Progress’s advisory covers CVE-2026-8037 alongside a second flaw, CVE-2026-33691, in the same bulletin.
Exploitation status
eSentire’s Threat Response Unit reported observing exploitation attempts against LoadMaster instances on June 29, 2026 — the same day a functional proof-of-concept exploit was released publicly, roughly 25 days after Progress’s patch. eSentire notes that the specific attempts it observed failed and no post-compromise activity followed, but the availability of a working PoC generally drives a broader wave of attempts across the internet-exposed install base.
CVE-2026-8037 is not (as of publication) on the CISA Known Exploited Vulnerabilities catalog; failed attempts against monitored appliances typically don’t meet CISA’s confirmed-in-the-wild bar. That threshold can move quickly once a compromise is documented.
Why it matters
LoadMaster sits in the same position as an F5 BIG-IP or a Citrix NetScaler: at the network edge, internet-exposed by design, terminating TLS for the applications behind it. A pre-auth RCE on that device means the attacker owns the load balancer, its stored credentials for backend applications, and its position between the internet and the rest of the estate. Patch immediately; do not wait for KEV listing.
Progress’s advisory and eSentire’s public writeup are the primary sources; NVD’s canonical record for CVE-2026-8037 is here.