CVE-2026-8037: the pre-auth heap bug that hands out root on Progress LoadMaster
An uninitialised-heap command injection in the LoadMaster API -- unauthenticated root, a public PoC within weeks, and exploitation attempts already logged
CVE-2026-8037 lets an attacker who can merely reach a Progress LoadMaster's management API execute operating-system commands on the appliance as root, with no credentials. The bug lives in the API endpoint POST /accessv2, and it is reachable whenever the appliance's RESTful API is enabled. Because a load balancer sits at the network edge and terminates TLS for the services behind it, root on that box is close to worst-case: traffic interception, credential theft, and a pivot straight into the internal network.
What CVE-2026-8037 actually is
The flaw is an OS command injection (CWE-77) that traces back to a memory-handling mistake, not a missing allow-list. LoadMaster's API handler runs user input through an escape_quotes() routine that is supposed to make the value safe before it is placed into a shell command. That routine makes two errors: it allocates its output buffer with malloc() and never initialises it, and it forgets to null-terminate the escaped string. When the handler then builds the command with an sprintf-family call, the missing terminator makes the copy read past the intended value and into adjacent heap memory the attacker controls.
Per watchTowr Labs, who published the root-cause analysis, the trigger is setting the apiuser field to four single quotes. Escaping expands those four bytes to sixteen, clobbering allocator metadata so the unterminated read runs on into extra JSON parameters the request sprays into the heap -- parameters carrying shell metacharacters like '; <command> #. The injected command is executed by the appliance's privileged API service, so the result is root code execution from an unauthenticated request. The intended security control -- the escaping function -- is the thing reading its own uninitialised memory.
The exploitation chain
From a single unauthenticated request to root on the appliance. Each stage has a cheap chokepoint -- and the most effective one is simply not exposing the management API to untrusted networks, or disabling the API entirely where it is not used.
CVE-2026-8037 exploitation chain -- unauth /accessv2 to heap over-read to root RCE
- Reachable LoadMaster / ADC (API enabled) — An internet- or untrusted-reachable Progress LoadMaster (or ECS CM / Object Scale CM / MOVEit WAF) whose management API (typically HTTPS 8443) is turned on. If the management plane is isolated or the API is off, the chain stops here.
- Unauth POST /accessv2 (application/json) — Attacker sends an unauthenticated JSON request to the API endpoint -- no session, no credentials.
- Trigger heap over-read (apiuser = '''' + g0..g60 spray) — Four single quotes in apiuser expand 4->16 bytes and clobber allocator metadata; the uninitialised, unterminated buffer makes sprintf read past it into sprayed g0..g60 chunks.
- Shell metacharacters reach the command — The over-read pulls attacker bytes like '; # into the command string the appliance shells out.
- Root code execution on the appliance — The injected command runs as root from the privileged API service. No separate privilege-escalation step is needed.
- TLS intercept / pivot / persist — Edge ADC position enables traffic interception at the TLS boundary, a pivot into internal services, and durable persistence on a rarely-EDR-monitored device.
- Prevent: isolate mgmt interface / disable API — Cheapest, highest-value chokepoint: restrict the WUI/API to a management network / jump host / VPN, or disable the API if unused, so /accessv2 is unreachable.
- Detect: Sigma/Suricata on /accessv2 + IoC IPs — Alert on unauthenticated POST /accessv2 carrying the four-quote apiuser and repeated g0..g60 spray; watch inbound from 192.42.116.58 / 192.42.116.105 / 146.70.139.154 (eSentire).
- Detect: outbound reverse-shell hunt — New outbound TCP from the appliance management IP, outside its known egress set and correlated to a preceding /accessv2 request, is the primary post-exploit tell.
Am I affected?
Four Progress ADC-family products share the vulnerable engine: LoadMaster (Kemp LoadMaster), ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF (which is not MOVEit Transfer -- see the caveat below). Vulnerable builds are GA 7.2.63.1 and older and LTSF 7.2.54.17 and older; the fixes are GA 7.2.63.2 and LTSF 7.2.54.18, both released on 4 June 2026. The critical scoping fact: the bug is only reachable when the API is enabled. The login page does not leak the firmware version -- read it with valid admin credentials via the API (cmd=getall / getsysinfo) or from the WUI System Configuration footer, and compare against the fixed builds.
| Axis | Value | What it means |
| CVSS 3.1 | 9.6 Critical (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H); some outlets 9.8 | Unauthenticated, low complexity, scope-changed, root impact |
| EPSS | About the 98th percentile | High -- consistent with a public PoC and early exploitation attempts |
| CISA KEV | Not listed (as of 2026-07-01) | KEV lags; do not wait for it. The prior LoadMaster bug CVE-2024-1212 did reach KEV |
| Exploited in the wild | Attempts observed from 2026-06-29 -- reported unsuccessful | eSentire honeypot/telemetry; no confirmed compromise, no attribution |
| Public PoC | Yes -- a Nuclei template that proves RCE | Weaponisation is trivial: swap the benign proof command |
| Precondition | API must be enabled; reachable management interface | Isolated management plane / disabled API removes the remote path |
Exploited in the wild -- carefully stated
Progress shipped the fix on 4 June 2026. watchTowr published the technical write-up on 29 June, and a working proof-of-concept -- a Nuclei template that confirms code execution by reading /etc/passwd -- appeared the same day. eSentire's Threat Response Unit observed exploitation attempts beginning that same 29 June, from three source IPs: 192.42.116.58, 192.42.116.105, and 146.70.139.154. Crucially, those attempts were reported unsuccessful, with no post-compromise activity and no threat-actor attribution. This is the second Progress/Kemp LoadMaster command-injection flaw to draw exploitation attention, after CVE-2024-1212.
Detection & hunting
Because the management interface runs over TLS (typically port 8443), the appliance's own API/access log -- or a TLS-terminating proxy in front of it -- is where you will actually see request content; a passive network sensor only sees encrypted flows unless you decrypt. Enable remote syslog on the appliance and forward the WUI/API access log. The durable signal is the endpoint plus the payload shape, not the first attacker's IP.
- Request-side: an unauthenticated
POST /accessv2is the anomaly -- especially from a non-management source IP. - Payload shape: a JSON body with
apiuserset to four single quotes ('''') and many repeated keysg0..g60whose values carry a'; <command> #breakout. The repetitive spray plus the quote breakout are the strongest tells. - Safe confirmation: replicate the public Nuclei matcher rather than a destructive payload -- a benign probe is vulnerable only if the response body contains
root:x:0:0:, theContent-Typeistext/json, and the status is200. - Post-exploit: a new outbound connection from the appliance management IP, outside its normal egress (NTP/DNS/syslog/auth/licensing), correlated to a preceding
/accessv2request. - First-wave IoCs (retro-hunt, ephemeral): source IPs
192.42.116.58,192.42.116.105,146.70.139.154.
# PROPOSED, NOT OFFICIAL - request-side detection on the LoadMaster API/access log or a fronting WAF
title: Progress LoadMaster Pre-Auth Command Injection (CVE-2026-8037)
status: experimental
logsource:
category: webserver
detection:
selection_endpoint:
cs-method: 'POST'
cs-uri-stem|endswith: '/accessv2'
selection_payload:
cs-body|contains:
- "'; cat /etc/passwd #"
- "''''"
- "'; id"
selection_spray:
cs-body|re: '"g[0-9]{1,2}"\s*:'
condition: selection_endpoint and (selection_payload or selection_spray)
fields: [c-ip, cs-method, cs-uri-stem, sc-status]
level: criticalWhat to do now
- Patch every affected product to GA 7.2.63.2 or LTSF 7.2.54.18 (both released 4 June 2026). The same release also fixes the companion flaw CVE-2026-33691 (a WAF upload-filter bypass), so it is one update, not two.
- If you cannot patch today: disable the API if it is not required, and restrict the WUI/API to a dedicated management network / jump host / VPN so
/accessv2is never internet- or user-VLAN-reachable. Fronting the interface with a filtering proxy/WAF buys additional time. - Assume attempted exploitation if you were exposed and unpatched after ~4 June 2026: hunt the logs above against the IoC IPs and for anomalous outbound connections before closing the ticket.
- Prioritise: reachable, API-enabled appliances first (24-72h); API-enabled-but-isolated units on the next window; API-disabled units on normal cadence -- and verify that 'isolated' really is.
FAQ
Is CVE-2026-8037 being exploited?
Is it really remote code execution?
Which products and versions are affected?
It is not on CISA KEV -- can I wait?
Is this the 2023 MOVEit / Cl0p attack?
Sources
- NVD -- CVE-2026-8037
- Progress -- LoadMaster Critical Security Bulletin, June 2026 (CVE-2026-8037, CVE-2026-33691)
- watchTowr Labs -- Progress Kemp LoadMaster uninitialized heap to pre-auth RCE
- The Hacker News -- Kemp LoadMaster flaw could let attackers run root commands pre-auth
- The Hacker News -- Progress Kemp LoadMaster pre-auth RCE faces active exploitation attempts
- eSentire -- Progress Kemp LoadMaster vulnerability targeted (CVE-2026-8037)
- SOCRadar -- CVE-2026-8037 Progress Kemp LoadMaster RCE
- CyberSecurityNews -- Critical Progress Kemp LoadMaster vulnerability enables pre-auth RCE
- Canadian Centre for Cyber Security -- Progress security advisory AV26-552
- ProjectDiscovery -- Nuclei template CVE-2026-8037.yaml