Critical Command Injection Vulnerability in Progress Kemp LoadMaster Allows Remote Code Execution
A critical command injection vulnerability (CVE-2026-3517) in Progress Software's Kemp LoadMaster allows authenticated remote attackers to execute arbitrary code on affected appliances.
Progress Software has disclosed a critical command injection vulnerability in its Kemp LoadMaster product, tracked as CVE-2026-3517 and assigned a CVSS score of 8.8. The flaw, reported by Michael Argany of TrendAI Research and published by Zero Day Initiative as ZDI-26-319, allows authenticated remote attackers to execute arbitrary code on affected appliances.
The vulnerability resides in the `addcountry` function, specifically within the handling of the `customLocation` parameter. The issue stems from a lack of proper validation of a user-supplied string before it is used to execute a system call. An attacker with authentication can leverage this flaw to execute arbitrary code in the context of the appliance, potentially leading to full compromise of the LoadMaster device.
Kemp LoadMaster is a widely deployed application delivery controller and load balancing solution used by organizations to manage traffic across servers and ensure high availability. The product is commonly deployed in enterprise data centers and cloud environments, making this vulnerability particularly concerning for network administrators.
Progress Software has released a security update to address this vulnerability. The update is available through the official release notes for LoadMaster version 7.2.63.1, which can be accessed at the vendor's security updates page. Administrators are strongly advised to apply the patch immediately to mitigate the risk of exploitation.
The disclosure timeline indicates that the vulnerability was reported to Progress Software on February 23, 2026, with the coordinated public release occurring on May 21, 2026. This three-month window allowed the vendor time to develop and test the fix before public disclosure.
Command injection vulnerabilities in network appliances are particularly dangerous because they can allow attackers to pivot from the compromised device to other systems within the network. Given that LoadMaster appliances often handle sensitive traffic and may have elevated network privileges, successful exploitation could have cascading effects on an organization's infrastructure.
This disclosure follows a pattern of increasing scrutiny on network infrastructure devices, which have become prime targets for attackers seeking persistent access to enterprise networks. Organizations using Kemp LoadMaster should prioritize patching this vulnerability and review their authentication controls to limit exposure.