A critical vulnerability in Progress Kemp LoadMaster, tracked as CVE-2026-8037 with a CVSS score of 9.8, allows a completely unauthenticated attacker to execute arbitrary commands as root on the appliance. No login, no session token, and no user interaction are required. A single crafted HTTP request to the device’s API is enough to take full control of the box that sits directly in front of the applications it is meant to protect.
A sanitisation function that forgot to sanitise
The root cause is a memory safety bug inside a function called escape_quotes(), whose entire job is to neutralise special characters in user input before that input is passed to a shell command. The pre-patch version of the function allocated its output buffer with malloc(), left it uninitialised, and then failed to write a null terminator at the end of the escaped string. That combination means the buffer can contain leftover heap memory and no reliable string boundary, which an attacker can manipulate to smuggle unescaped shell metacharacters straight through the function that was supposed to strip them out. WatchTowr Labs published a detailed technical write-up of the full exploitation chain on 29 June, turning what had been an abstract advisory into a practical roadmap for attackers.
Affected products and versions
The advisory covers Progress’s entire application delivery controller line, not just LoadMaster in isolation:
- LoadMaster GA version 7.2.63.1 and earlier, and LTSF version 7.2.54.17 and earlier, when the API feature is enabled
- MOVEit WAF GA version 7.2.62.2 and earlier
- ECS Connection Manager and Connection Manager for ObjectScale on equivalent pre-patch builds
Progress disclosed a second, high-severity flaw in the same advisory: CVE-2026-33691, a web application firewall bypass in which whitespace padding inserted into a filename can slip a malicious upload past extension-based filtering checks. An attacker who cannot get through the front door with CVE-2026-8037 alone may find the WAF bypass opens it for them.
Why a load balancer compromise is worse than a typical server compromise
Load balancers and application delivery controllers occupy a structurally different position in the network than the application servers behind them. They terminate TLS, they are frequently the only component directly reachable from the public internet, and they see every request destined for every backend service they front. Root access on the load balancer is not just one more compromised host, it is a vantage point that can intercept credentials, inject content into legitimate traffic, and pivot into every backend the appliance was configured to protect. Security teams that model their risk around application-layer vulnerabilities and treat the load balancer as trusted infrastructure are missing the component with the largest blast radius in the entire stack.
Patches exist, but exposure windows are long
Progress published fixed versions in early June: LoadMaster GA 7.2.63.2, LoadMaster LTSF 7.2.54.18, MOVEit WAF 7.2.63.0, and equivalent builds for ECS Connection Manager and Connection Manager for ObjectScale. Progress has stated it has no reports of active exploitation as of its advisory. That is a temporary state of affairs, not a guarantee. Publication of a working exploit chain by a research team of watchTowr’s calibre routinely precedes opportunistic scanning and exploitation by days, not months, and load balancers rank among the slowest categories of appliance to get patched in production environments because taking one offline, even briefly, touches every service it fronts.
For organisations running Progress application delivery infrastructure anywhere in a European estate, whether on premises, colocated, or in a cloud environment, this is a same-week patching priority, not a quarterly maintenance item.
What we recommend
- Confirm which Progress ADC products are deployed across your estate, including instances managed by third parties or embedded in vendor appliances
- Patch to the fixed versions listed above immediately, prioritising any appliance with its API enabled and reachable from the internet
- Where immediate patching is not possible, restrict API access to trusted management networks as an interim compensating control
- Review load balancer and WAF logs for anomalous API requests in the weeks prior to patching, since exploitation before public disclosure cannot be ruled out
- Treat load balancers and ADCs as first-class assets in vulnerability management programmes, with patch SLAs that match their exposure rather than their perceived operational sensitivity
If your organisation needs help auditing exposure to CVE-2026-8037, prioritising patch rollouts across critical network infrastructure, or building a vulnerability management process that treats edge appliances with the urgency they warrant, contact Excello Digital. We help European engineering and security teams keep the infrastructure that everything else depends on off the front page.
