What happened
A newly disclosed critical vulnerability in Progress LoadMaster could allow attackers to execute arbitrary commands with root privileges on affected appliances without authentication. The flaw, tracked as CVE-2026-8037, received a CVSS score of 9.8 and affects systems with the API enabled.
The vulnerability was discovered by Syed Ibrahim Ahmed of TrendAI Research and reported to Progress through the Zero Day Initiative. While Progress says there are currently no known cases of active exploitation, researchers at watchTowr Labs have since published a detailed technical analysis and proof-of-concept demonstrating how the flaw can be exploited.
According to the researchers, the issue stems from improper input sanitization in a function designed to escape user-supplied data before passing it to a shell command. Because the application fails to properly terminate the sanitized string, an attacker can manipulate adjacent memory and inject malicious commands through the API. The exploit targets the /accessv2 endpoint and does not require valid credentials, allowing commands to execute as the root user.
Progress has released patches addressing the vulnerability in LoadMaster GA v7.2.63.2 and LTSF v7.2.54.18.
Who is affected
The vulnerability affects organizations using Progress LoadMaster versions GA v7.2.63.1 and earlier or LTSF v7.2.54.17 and earlier when the API is enabled.
LoadMaster is commonly deployed as an application delivery controller and load balancer, making it a critical component of enterprise infrastructure. Because it often sits at the network edge, successful exploitation could provide attackers with privileged access to systems responsible for directing application traffic.
The advisory also includes fixes for another high-severity vulnerability, CVE-2026-33691, which could allow attackers to bypass file upload restrictions.
Why CISOs should care
Although no attacks have been publicly reported, the release of a working proof-of-concept significantly increases the likelihood of exploitation attempts.
The vulnerability is particularly concerning because it requires no authentication and results in root-level command execution. Internet-facing appliances are frequently targeted soon after technical exploit details become public.
The disclosure also continues a pattern of serious security issues affecting LoadMaster. Previous command injection vulnerabilities have been exploited in the wild, and cybersecurity agencies have encouraged organizations to prioritize patching edge infrastructure before vulnerabilities become widely weaponized.
3 practical actions
- Apply the latest updates immediately to all affected Progress LoadMaster appliances running vulnerable versions.
- Review API exposure and disable or restrict API access if it is not operationally required.
- Monitor for suspicious activity, including unexpected API requests, privileged command execution, and signs of compromise on LoadMaster systems.
