Kemp LoadMaster Flaw Allows Root Command Execution Pre-Auth

Progress Kemp LoadMaster has a critical vulnerability, tracked as CVE-2026-8037, that allows unauthenticated attackers to execute arbitrary commands with root privileges on the appliance. This exploit is possible by sending a specially crafted request to the device's API. The vulnerability carries a CVSS score of 9.8, indicating a high severity level, as reported by ZDI. Progress has released a patch to address this security flaw. The company's advisory, published on June 10, 2024, urges users to update their LoadMaster appliances immediately if the API is enabled. Exploitation of this vulnerability could lead to a complete compromise of the affected LoadMaster devices, allowing attackers to gain full control and potentially disrupt network services or exfiltrate sensitive data. Organizations relying on Kemp LoadMaster for load balancing and application delivery should prioritize applying the available patch to mitigate the risk of unauthorized access and command execution.