Active Exploitation Reported Against Progress Kemp LoadMaster Pre-Auth RCE (CVE-2026-8037)

Threat responders flag in-the-wild attempts against a 9.6-rated OS command injection flaw in the load balancer, days after Progress issued a fixed build.

ThreatVectr Newsdesk· 2 min read
Active Exploitation Reported Against Progress Kemp LoadMaster Pre-Auth RCE (CVE-2026-8037)
Share

Attackers are probing an unauthenticated command injection flaw in Progress Kemp LoadMaster, according to telemetry shared by a Canadian incident response team.

The vulnerability is tracked as CVE-2026-8037, rated 9.6 on the CVSS v3.1 scale. It is an operating system command injection weakness in the LoadMaster management interface. Successful exploitation yields remote code execution without authentication.

That combination — pre-auth reach plus OS-level code execution — is the profile network edge appliances have been punished for repeatedly over the last three years. LoadMaster sits in front of application traffic. A foothold there is a foothold across the stack.

The vendor has issued a patched firmware build. Administrators running affected LoadMaster and Multi-Tenant LoadMaster versions should consult the Progress security advisory and apply the fixed release. Where immediate patching is not possible, restricting access to the WUI (Web User Interface) to a management VLAN or jump host materially reduces exposure. The management interface should never face the public internet.

Exploitation attempts have been observed in the wild. The responders reporting the activity have not attributed it to a named actor, and it is not yet clear whether the traffic represents opportunistic scanning, reliable weaponization, or both. Indicators of compromise have not been published in full.

A quick note on regulatory posture. Federal civilian agencies operating LoadMaster appliances fall under BOD 22-01 once CISA adds an entry to the Known Exploited Vulnerabilities catalog; that entry had not appeared at the time of writing. Publicly traded operators should also consider whether exploitation of an internet-facing load balancer triggers the four-business-day materiality disclosure clock under Item 1.05 of Form 8-K, added by the SEC's final cybersecurity disclosure rule adopted July 26, 2023 (Release Nos. 33-11216; 34-97989). The determination turns on materiality, not on patch status.

EU operators should map the incident against NIS2 Article 23 reporting obligations, which require an early warning within 24 hours of becoming aware of a significant incident and an incident notification within 72 hours. Transposition deadlines vary by member state.

Detection guidance is thin at this stage. Defenders should hunt for anomalous child processes spawned by the LoadMaster web service account, outbound connections from the appliance to unfamiliar infrastructure, and new local accounts on the device. Preserve WUI access logs. If exploitation is confirmed, treat the appliance as fully compromised and rebuild from a clean image; credential rotation for anything the appliance could reach is not optional.

Comment periods do not apply here. This is a live patch-or-mitigate situation.

© 2026 Threat Vectr