CVE-2026-3518: Command Injection in Progress Kemp LoadMaster Allows Remote Code Execution
A command injection vulnerability in Progress Software's Kemp LoadMaster allows authenticated remote attackers to execute arbitrary code on affected appliances.
Progress Software has disclosed a critical command injection vulnerability in its Kemp LoadMaster product, tracked as CVE-2026-3518. The flaw, reported by Michael Argany of TrendAI Research, allows authenticated remote attackers to execute arbitrary code on affected appliances. The vulnerability carries a CVSS score of 8.8, indicating high severity.
The vulnerability exists within the handling of the key parameter in the ssodomain_killsession endpoint. The issue stems from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker with authentication can leverage this flaw to execute code in the context of the appliance, potentially gaining full control over the affected system.
Kemp LoadMaster is a widely used application delivery controller and load balancing solution deployed in enterprise environments. The product handles critical network traffic and often sits at the edge of data center networks. A successful exploit could allow an attacker to compromise the appliance, intercept traffic, or pivot to internal systems.
Progress Software has issued an update to address this vulnerability. The fix is included in LoadMaster version 7.2.63.1, as detailed in the vendor's security updates page. Administrators are strongly urged to apply the patch as soon as possible to mitigate the risk of exploitation.
For organizations unable to immediately patch, ZDI recommends restricting network access to the management interface. This can be achieved by limiting access to trusted IP addresses and ensuring the interface is not exposed to the internet. The vulnerability was reported to Progress Software on February 23, 2026, and the coordinated public release of the advisory occurred on May 21, 2026.
This disclosure follows a pattern of increasing vulnerabilities in network infrastructure appliances. Similar command injection flaws have been discovered in other load balancers and application delivery controllers in recent months, highlighting the need for robust input validation and regular security updates in critical network components.
Organizations using Kemp LoadMaster should prioritize patching and review their security posture for similar vulnerabilities. The availability of a patch and the detailed disclosure timeline provide administrators with the necessary information to protect their environments.