CVE-2026-8037

CRITICAL · 9.6 EPSS 1.9%

hype LIKELY HACK · 72 hack

Working PoC public, vendor patch exists, but KEV not yet listed; active research chatter.

What: OS command injection in Progress Kemp LoadMaster API allows unauthenticated remote code execution as root via unsanitized input (CVSS 9.6 CRITICAL).

Why it matters: WatchTowr Labs published detailed technical analysis with working PoC ("Enterprise Tech In, Shell Out"); vendor patch available; affects critical load-balancer infrastructure; pre-auth exploitation requires no credentials.

Where it's seen: Technical research labs (WatchTowr), infosec news aggregation (The Hacker News), multilingual security blogs, and social amplification of the advisory. No KEV listing yet but high engagement suggests rapid discovery phase.

RISK: CRITICAL — Unauthenticated RCE on internet-facing appliances; CVSS 9.6; PoC published by researcher.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/30/2026, 11:06:18 AM

Description

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

CVSS 3.1 breakdown

Exploitability 2.8 · Impact 6.0

vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack vector: Adjacent network
Complexity: Low
Privileges required: None
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-77

References

Other · 1

https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691