TL;DR
- what: Attackers are actively probing Progress Kemp LoadMaster appliances for CVE-2026-8037, a CVSS 9.6 pre-auth OS command injection flaw at the /accessv2 API endpoint.
- impact: Successful exploitation gives an unauthenticated attacker arbitrary command execution on the load balancer, a device that sits inline in front of critical application traffic.
- fix: Apply the Progress LoadMaster update released in June 2026 that fixes CVE-2026-8037, and restrict management API access to trusted networks.
- who: Any organization running an internet-exposed or broadly reachable Progress Kemp LoadMaster appliance.
Attackers started hitting Progress Kemp LoadMaster load balancers on June 29, 2026, according to eSentire's Threat Response Unit (TRU). The target is CVE-2026-8037, a CVSS 9.6 OS command injection flaw that lets an unauthenticated attacker run arbitrary commands on the appliance. This is a network chokepoint device sitting inline in front of application traffic, so a compromise here is a foothold with reach.
The observed attempts failed, and eSentire reported no post-compromise activity. That is the good news and it is temporary. watchTowr Labs published a detailed technical analysis this week, and a proof-of-concept exploit is circulating. Failed probes from three IPs are the opening move, not the whole game. Treat the current lull as the patch window, because it is closing.
What the flaw actually is
Progress disclosed the vulnerability in early June 2026: an OS command injection in the LoadMaster API that lets an unauthenticated attacker execute arbitrary commands by exploiting unsanitized input. watchTowr traced the root cause to a function named escape_quotes() in the load balancer application. The function failed to properly null-terminate sanitized strings, producing an out-of-bounds read into adjacent heap memory.
From there an attacker sends specially crafted requests to the /accessv2 endpoint that manipulate heap memory to trigger command injection. No credentials required. The bug is a memory-handling mistake in input sanitization that cascades into full command execution, which is why the CVSS score lands at 9.6.
⚠️ Block these source IPs now — eSentire attributes the exploitation attempts to 192.42.116.58, 192.42.116.105, and 146.70.139.154. Block them at the perimeter and hunt for prior connections to /accessv2 from these hosts, but do not treat blocklisting as remediation. New infrastructure will follow the public PoC.
Why this device matters
A load balancer is not an endpoint you can quietly reimage. It terminates and routes traffic for the applications behind it, often with visibility into internal network segments and inline access to session data. Arbitrary command execution on a LoadMaster gives an attacker a persistent, high-trust position for pivoting, traffic interception, and lateral movement. Appliances like this are also frequently internet-facing by design and under-monitored compared to servers.
Not the first time
CVE-2026-8037 is the second Progress Kemp LoadMaster flaw to draw active exploitation. The first was CVE-2024-1212, a CVSS 10.0 OS command injection that also allowed arbitrary system command execution. Two critical command-injection bugs in the same product line, both exploited in the wild, is a pattern. If you run LoadMaster, assume the management API is a priority target and architect access accordingly.
What to do now
- Apply the Progress LoadMaster update that fixes CVE-2026-8037, released in early June 2026. If you have not patched since disclosure, this is your top priority.
- Restrict access to the management API and /accessv2 endpoint to trusted management networks only. Do not expose it to the internet.
- Block the three known attacker IPs and alert on any inbound requests to /accessv2 from untrusted sources.
- Review appliance logs for requests to /accessv2 and any unexpected process execution or outbound connections dating back to at least June 29, 2026.
- Confirm CVE-2024-1212 is also patched. If this device slipped patching once, verify it did not slip twice.
Bottom line — Exploitation is early and currently failing, but a public PoC plus a full technical writeup means the barrier to reliable exploitation is dropping this week. Patch now, lock down API exposure, and hunt back to June 29. Do not wait for a successful compromise to prove the risk.
Originally published on RedEye Threat Intelligence.
Top comments (0)