Close Menu
    What's Hot

    The United States of Innovation: 13 Stories of American Ingenuity

    Cape Verde Faces Argentina’s World Cup Juggernaut. Its Fans Aren’t Stressed.

    Bus Plunges 70 Feet Into a Ravine in Pakistan, Killing 40

    Facebook X (Twitter) Instagram
    Trending
    • The United States of Innovation: 13 Stories of American Ingenuity
    • Cape Verde Faces Argentina’s World Cup Juggernaut. Its Fans Aren’t Stressed.
    • Bus Plunges 70 Feet Into a Ravine in Pakistan, Killing 40
    • Fable Ban Reversed + Dr. Dana Suskind on Parenting With A.I. + Prediction Market Drama
    • Why Some Banks Still Charge High Overdraft Fees
    • IMF joins backlash against ‘opaque’ debt with Nigeria crackdown
    • Pluxee N.V. (PLXNF) Q3 2026 Sales/Trading Call Transcript
    • British GP: Lewis Hamilton fastest from Kimi Antonelli at Silverstone ahead of Sprint Qualifying | F1 News
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

    adminBy adminJuly 3, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Swati KhandelwalJun 30, 2026Vulnerability / API Security

    Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

    A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API.

    The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now.

    Progress published its advisory on June 4 and says it has not received any reports of exploitation. On June 29, researchers at watchTowr Labs published a detailed technical write-up that walks through the full exploit chain.

    What the Flaw Does

    LoadMaster is an application delivery controller and load balancer used by enterprises to manage traffic across servers. It sits at the network edge, which makes any pre-auth flaw in it especially dangerous.

    The vulnerability lives in a function called escape_quotes(), which is supposed to sanitize user input before it gets passed into a shell command. The function’s job is to escape single quotes so that an attacker cannot break out of a quoted string and inject commands. The problem: it allocated a memory buffer without clearing it first and never wrote a null terminator at the end of the sanitized string.

    Cybersecurity

    That missing terminator is the whole exploit. Without it, the system keeps reading past the end of the sanitized input into whatever data happens to sit next to it in memory. An attacker can control what sits there by stuffing extra JSON keys into the same API request, each carrying a command injection payload. The system reads the sanitized input, keeps going, hits the attacker’s payload, and executes it.

    The attack targets the /accessv2 endpoint, which handles API credential validation. The attacker sends a JSON body with a specially crafted apiuser value and dozens of extra key-value pairs sprayed with the command they want to run. No valid credentials are needed. The command runs as root.

    Affected Versions and Fix

    The flaw affects LoadMaster GA v7.2.63.1 and older, and LTSF v7.2.54.17 and older, when the API is enabled. Progress has released fixed versions: GA v7.2.63.2 and LTSF v7.2.54.18.

    The patch itself is minimal. Two changes: the memory allocation function was swapped from one that leaves the buffer uninitialized to one that zero-fills it, and an explicit null terminator was added after the escaped output. Two lines of code that close a path to the root.

    The vulnerability was discovered by Syed Ibrahim Ahmed of TrendAI Research and reported to Progress through the Zero Day Initiative on April 15, 2026. ZDI coordinated the public advisory release on June 9. watchTowr Labs independently analyzed the patch diff and published their own full technical breakdown with a working proof of concept on June 29.

    Progress also patched a second, high-severity flaw in the same advisory: CVE-2026-33691, a WAF bypass where whitespace padding in filenames could circumvent file upload extension checks.

    Cybersecurity

    A Pattern Worth Watching

    This is not LoadMaster’s first critical flaw. In November 2024, CISA added a previous LoadMaster command injection flaw (CVE-2024-1212, CVSS 10.0) to its Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild.

    In April 2026, Progress patched five more high-severity LoadMaster flaws, four of them command injection issues. Progress is also the maker of MOVEit, whose 2023 vulnerabilities fueled a mass exploitation campaign by the Cl0p ransomware group.

    The Canadian Centre for Cyber Security has also issued an advisory urging administrators to apply the updates.

    No attacks on CVE-2026-8037 have been reported yet. A working proof of concept is now public. Patch, and then ask whether the API needs to be reachable at all.

    Attackers Commands flaw Kemp LoadMaster PreAuth Progress root run
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleUN sounds ‘red alert’ over human rights catastrophe in Sudan’s el-Obeid | Sudan war News
    Next Article British GP: Lewis Hamilton fastest from Kimi Antonelli at Silverstone ahead of Sprint Qualifying | F1 News
    admin
    • Website

    Related Posts

    European Parliament Member Investigating Spyware Was Hacked With Pegasus

    July 3, 2026

    PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

    July 3, 2026

    Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service

    July 3, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    The United States of Innovation: 13 Stories of American Ingenuity

    Cape Verde Faces Argentina’s World Cup Juggernaut. Its Fans Aren’t Stressed.

    Bus Plunges 70 Feet Into a Ravine in Pakistan, Killing 40

    Fable Ban Reversed + Dr. Dana Suskind on Parenting With A.I. + Prediction Market Drama

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by