Progress Kemp LoadMaster Vulnerable to Pre-Auth RCE via Uninitialized Heap Flaw (CVE-2026-8037)
A critical pre-authentication remote code execution vulnerability, CVE-2026-8037, has been discovered in Progress Kemp LoadMaster load balancers, allowing unauthenticated attackers to gain control.
Progress Kemp LoadMaster, a widely deployed load balancer and application delivery controller, is susceptible to a critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-8037. This flaw, detailed by watchTowr Labs, allows unauthenticated attackers to execute arbitrary code on affected devices by interacting with the product's API.
The vulnerability specifically impacts Kemp LoadMaster versions GA v7.2.63.1 and older, as well as LTSF v7.2.54.17 and older, provided the API feature is enabled. Load balancers are critical edge appliances, often responsible for distributing traffic and protecting applications, making their compromise a significant security risk for enterprise networks.
Analysis by watchTowr Labs revealed that the vulnerability stems from an issue within the escape_quotes function. This function is intended to sanitize user input by escaping single quotes to prevent command injection when the input is used within shell arguments. However, the vulnerable implementation exhibits flawed logic when handling input that does not contain single quotes.
In the vulnerable version, if the input string does not contain any single quotes, the escape_quotes function returns the original pointer without allocating new memory or modifying the string. This behavior is crucial for exploitation. An attacker can send specially crafted input to the API endpoint, which is then processed by this function. If the input bypasses the initial checks and reaches the point where escape_quotes is called with non-quoted data, the function returns the original, unescaped input.
This uninitialized heap vulnerability allows an attacker to control data that is later used in a context where arbitrary code execution is possible. By carefully crafting the input, an attacker can leverage the uninitialized memory or the direct passing of unescaped data to achieve RCE. The exploit chain likely involves sending a specific payload to an API endpoint that triggers the vulnerable function, leading to the execution of malicious commands on the load balancer.
Progress Software, the vendor behind Kemp LoadMaster (and notably, the company affected by the MOVEit supply chain attack), issued an advisory on June 4th detailing a "Command Injection Remote Code Execution Vulnerability." While the advisory describes it as command injection, the underlying mechanism identified by watchTowr Labs points to an uninitialized heap vulnerability that enables this RCE.
Users of Progress Kemp LoadMaster are strongly advised to update their systems to patched versions as soon as possible. Disabling the API feature on affected devices can serve as a temporary mitigation if immediate patching is not feasible. Network defenders should also monitor their environments for any suspicious activity targeting Kemp LoadMaster appliances, particularly any unusual API requests or signs of compromise.