Swati KhandelwalJun 30, 2026Vulnerability / API Security
A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API.
The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now.
Progress published its advisory on June 4 and says it has not received any reports of exploitation. On June 29, researchers at watchTowr Labs published a detailed technical write-up that walks through the full exploit chain.
What the Flaw Does








