CVE Tools
Back to feed
The Hacker News ·EN News source

Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

By The Hacker News··3 min read
CVE Tools coverage

Progress Kemp LoadMaster discloses a critical pre-auth remote command execution issue in its API that can allow an unauthenticated attacker to run arbitrary commands as root by sending a crafted request. The vulnerability is tracked as CVE-2026-8037 (CVSS 9.8) and affects LoadMaster GA v7.2.63.1 and older, plus LTSF v7.2.54.17 and older when the API is enabled; fixed releases are GA v7.2.63.2 and LTSF v7.2.54.18. The bug matters because the affected /accessv2 endpoint is reachable before authentication, and a public proof of concept has been demonstrated even though no exploitation reports have been made.