CVE Tools
Back to blog

CVE-2026-8037: the pre-auth heap bug that hands out root on Progress LoadMaster

An uninitialised-heap command injection in the LoadMaster API -- unauthenticated root, a public PoC within weeks, and exploitation attempts already logged

CVE-2026-8037 lets an attacker who can merely reach a Progress LoadMaster's management API execute operating-system commands on the appliance as root, with no credentials. The bug lives in the API endpoint POST /accessv2, and it is reachable whenever the appliance's RESTful API is enabled. Because a load balancer sits at the network edge and terminates TLS for the services behind it, root on that box is close to worst-case: traffic interception, credential theft, and a pivot straight into the internal network.

What CVE-2026-8037 actually is

The flaw is an OS command injection (CWE-77) that traces back to a memory-handling mistake, not a missing allow-list. LoadMaster's API handler runs user input through an escape_quotes() routine that is supposed to make the value safe before it is placed into a shell command. That routine makes two errors: it allocates its output buffer with malloc() and never initialises it, and it forgets to null-terminate the escaped string. When the handler then builds the command with an sprintf-family call, the missing terminator makes the copy read past the intended value and into adjacent heap memory the attacker controls.

Per watchTowr Labs, who published the root-cause analysis, the trigger is setting the apiuser field to four single quotes. Escaping expands those four bytes to sixteen, clobbering allocator metadata so the unterminated read runs on into extra JSON parameters the request sprays into the heap -- parameters carrying shell metacharacters like '; <command> #. The injected command is executed by the appliance's privileged API service, so the result is root code execution from an unauthenticated request. The intended security control -- the escaping function -- is the thing reading its own uninitialised memory.

The exploitation chain

From a single unauthenticated request to root on the appliance. Each stage has a cheap chokepoint -- and the most effective one is simply not exposing the management API to untrusted networks, or disabling the API entirely where it is not used.

CVE-2026-8037 exploitation chain -- unauth /accessv2 to heap over-read to root RCE

  1. Reachable LoadMaster / ADC (API enabled) — An internet- or untrusted-reachable Progress LoadMaster (or ECS CM / Object Scale CM / MOVEit WAF) whose management API (typically HTTPS 8443) is turned on. If the management plane is isolated or the API is off, the chain stops here.
  2. Unauth POST /accessv2 (application/json) — Attacker sends an unauthenticated JSON request to the API endpoint -- no session, no credentials.
  3. Trigger heap over-read (apiuser = '''' + g0..g60 spray) — Four single quotes in apiuser expand 4-&gt;16 bytes and clobber allocator metadata; the uninitialised, unterminated buffer makes sprintf read past it into sprayed g0..g60 chunks.
  4. Shell metacharacters reach the command — The over-read pulls attacker bytes like '; # into the command string the appliance shells out.
  5. Root code execution on the appliance — The injected command runs as root from the privileged API service. No separate privilege-escalation step is needed.
  6. TLS intercept / pivot / persist — Edge ADC position enables traffic interception at the TLS boundary, a pivot into internal services, and durable persistence on a rarely-EDR-monitored device.
  7. Prevent: isolate mgmt interface / disable API — Cheapest, highest-value chokepoint: restrict the WUI/API to a management network / jump host / VPN, or disable the API if unused, so /accessv2 is unreachable.
  8. Detect: Sigma/Suricata on /accessv2 + IoC IPs — Alert on unauthenticated POST /accessv2 carrying the four-quote apiuser and repeated g0..g60 spray; watch inbound from 192.42.116.58 / 192.42.116.105 / 146.70.139.154 (eSentire).
  9. Detect: outbound reverse-shell hunt — New outbound TCP from the appliance management IP, outside its known egress set and correlated to a preceding /accessv2 request, is the primary post-exploit tell.

Am I affected?

Four Progress ADC-family products share the vulnerable engine: LoadMaster (Kemp LoadMaster), ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF (which is not MOVEit Transfer -- see the caveat below). Vulnerable builds are GA 7.2.63.1 and older and LTSF 7.2.54.17 and older; the fixes are GA 7.2.63.2 and LTSF 7.2.54.18, both released on 4 June 2026. The critical scoping fact: the bug is only reachable when the API is enabled. The login page does not leak the firmware version -- read it with valid admin credentials via the API (cmd=getall / getsysinfo) or from the WUI System Configuration footer, and compare against the fixed builds.

AxisValueWhat it means
CVSS 3.19.6 Critical (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H); some outlets 9.8Unauthenticated, low complexity, scope-changed, root impact
EPSSAbout the 98th percentileHigh -- consistent with a public PoC and early exploitation attempts
CISA KEVNot listed (as of 2026-07-01)KEV lags; do not wait for it. The prior LoadMaster bug CVE-2024-1212 did reach KEV
Exploited in the wildAttempts observed from 2026-06-29 -- reported unsuccessfuleSentire honeypot/telemetry; no confirmed compromise, no attribution
Public PoCYes -- a Nuclei template that proves RCEWeaponisation is trivial: swap the benign proof command
PreconditionAPI must be enabled; reachable management interfaceIsolated management plane / disabled API removes the remote path

Exploited in the wild -- carefully stated

Progress shipped the fix on 4 June 2026. watchTowr published the technical write-up on 29 June, and a working proof-of-concept -- a Nuclei template that confirms code execution by reading /etc/passwd -- appeared the same day. eSentire's Threat Response Unit observed exploitation attempts beginning that same 29 June, from three source IPs: 192.42.116.58, 192.42.116.105, and 146.70.139.154. Crucially, those attempts were reported unsuccessful, with no post-compromise activity and no threat-actor attribution. This is the second Progress/Kemp LoadMaster command-injection flaw to draw exploitation attention, after CVE-2024-1212.

Detection & hunting

Because the management interface runs over TLS (typically port 8443), the appliance's own API/access log -- or a TLS-terminating proxy in front of it -- is where you will actually see request content; a passive network sensor only sees encrypted flows unless you decrypt. Enable remote syslog on the appliance and forward the WUI/API access log. The durable signal is the endpoint plus the payload shape, not the first attacker's IP.

  • Request-side: an unauthenticated POST /accessv2 is the anomaly -- especially from a non-management source IP.
  • Payload shape: a JSON body with apiuser set to four single quotes ('''') and many repeated keys g0..g60 whose values carry a '; <command> # breakout. The repetitive spray plus the quote breakout are the strongest tells.
  • Safe confirmation: replicate the public Nuclei matcher rather than a destructive payload -- a benign probe is vulnerable only if the response body contains root:x:0:0:, the Content-Type is text/json, and the status is 200.
  • Post-exploit: a new outbound connection from the appliance management IP, outside its normal egress (NTP/DNS/syslog/auth/licensing), correlated to a preceding /accessv2 request.
  • First-wave IoCs (retro-hunt, ephemeral): source IPs 192.42.116.58, 192.42.116.105, 146.70.139.154.
# PROPOSED, NOT OFFICIAL - request-side detection on the LoadMaster API/access log or a fronting WAF
title: Progress LoadMaster Pre-Auth Command Injection (CVE-2026-8037)
status: experimental
logsource:
  category: webserver
detection:
  selection_endpoint:
    cs-method: 'POST'
    cs-uri-stem|endswith: '/accessv2'
  selection_payload:
    cs-body|contains:
      - "'; cat /etc/passwd #"
      - "''''"
      - "'; id"
  selection_spray:
    cs-body|re: '"g[0-9]{1,2}"\s*:'
  condition: selection_endpoint and (selection_payload or selection_spray)
fields: [c-ip, cs-method, cs-uri-stem, sc-status]
level: critical

What to do now

  1. Patch every affected product to GA 7.2.63.2 or LTSF 7.2.54.18 (both released 4 June 2026). The same release also fixes the companion flaw CVE-2026-33691 (a WAF upload-filter bypass), so it is one update, not two.
  2. If you cannot patch today: disable the API if it is not required, and restrict the WUI/API to a dedicated management network / jump host / VPN so /accessv2 is never internet- or user-VLAN-reachable. Fronting the interface with a filtering proxy/WAF buys additional time.
  3. Assume attempted exploitation if you were exposed and unpatched after ~4 June 2026: hunt the logs above against the IoC IPs and for anomalous outbound connections before closing the ticket.
  4. Prioritise: reachable, API-enabled appliances first (24-72h); API-enabled-but-isolated units on the next window; API-disabled units on normal cadence -- and verify that 'isolated' really is.

FAQ

Is CVE-2026-8037 being exploited?
Exploitation attempts were observed from 29 June 2026, the same day the public PoC dropped, but they were reported unsuccessful with no confirmed compromise. Treat exposed, API-enabled appliances as urgent regardless. Run a free exposure check.
Is it really remote code execution?
Yes -- unauthenticated OS command injection that runs commands as root on the appliance. A public Nuclei template proves code execution, and weaponising it is trivial.
Which products and versions are affected?
Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF. Vulnerable: GA 7.2.63.1 and older, LTSF 7.2.54.17 and older. Fixed: GA 7.2.63.2 / LTSF 7.2.54.18. Only reachable when the API is enabled.
It is not on CISA KEV -- can I wait?
No. KEV lags real-world activity, and this bug already has a public PoC plus observed attempts. The prior LoadMaster command-injection flaw, CVE-2024-1212, was eventually added to KEV -- exposure, not a KEV listing, is the right trigger.
Is this the 2023 MOVEit / Cl0p attack?
No. That was MOVEit Transfer (CVE-2023-34362), a different product with a different bug and actor. This flaw affects the LoadMaster ADC engine, including the separate MOVEit WAF product; no ransomware group is linked to it.

Sources