On point: A critical pre-authentication RCE vulnerability (CVE-2026-8037, CVSS 9.8) in Progress Kemp LoadMaster allows root commands via the API; a patch is available.
A critical vulnerability in Progress Kemp LoadMaster (CVE-2026-8037) allows unauthenticated attackers to execute arbitrary commands with root privileges via the API interface. The CVSS score is 9.8.
Progress Kemp LoadMaster contains a critical vulnerability that allows attackers without prior authentication to execute arbitrary commands with root privileges on the appliance. The vulnerability is triggered via a specially crafted request to the API interface. The Vulnerability Lab (ZDI) assigns a CVSS score of 9.8 to the vulnerability.
For CISOs, this vulnerability is critical because Kemp LoadMaster is frequently deployed as a network entry point in infrastructures. A pre-authentication RCE bug of this severity level enables attackers to take complete control of the appliance and potentially the underlying network without requiring authentication.
Progress has released a patch. Organizations operating Kemp LoadMaster with the API enabled should deploy this security update immediately. The availability of patches significantly reduces the immediate risk, provided they are deployed in a timely manner.
Source: thehackernews.com · Published June 30, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 of the EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.