watchTowr Labs has published a full working proof-of-concept for CVE-2026-8037, a pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster — placing every internet-exposed LoadMaster appliance running unpatched software at immediate exploitation risk.
CVE-2026-8037: Uninitialized Heap in escape_quotes() Leads to Root Shell
CVE-2026-8037 carries a CVSS score of 9.8 Critical and affects Progress Kemp LoadMaster, an application delivery controller and load balancer widely deployed in enterprise networks. The flaw resides in the escape_quotes() function, a routine designed to sanitize user input before passing it to shell commands. The sanitization logic is vulnerable to uninitialized heap exploitation: an unauthenticated attacker can send a crafted API request that exploits the heap condition to execute arbitrary operating system commands as root.
The attack requires no credentials, no prior access to the LoadMaster management interface, and no foothold within the target network. If the LoadMaster API is enabled and the appliance is reachable over the network, CVE-2026-8037 provides a direct path to root-level command execution.
How TrendAI Research Found and Reported CVE-2026-8037
The vulnerability was discovered by Syed Ibrahim Ahmed of TrendAI Research and reported to Progress through the Zero Day Initiative on April 15, 2026. Progress published its security advisory on June 4 and released fixed versions at the same time: GA v7.2.63.2 addresses the flaw for organizations on the general availability branch, and LTSF v7.2.54.18 addresses it for organizations on the long-term support branch.
Organizations that applied the June 4 patches on their LoadMaster appliances are protected. Those that did not patch in the three weeks between the advisory and watchTowr’s PoC publication now face a materially different threat environment. The affected versions are LoadMaster GA v7.2.63.1 and older, and LTSF v7.2.54.17 and older, in both cases only when the API is enabled.
watchTowr’s Full Exploit Chain Turns a Heap Bug Into an RCE
watchTowr Labs published its exploit walk-through and working proof-of-concept on June 29. The publication includes a full technical breakdown of the exploit chain — from the initial crafted API request through the uninitialized heap condition in escape_quotes() to arbitrary command execution as root. Working PoC code that reproduces the full chain is included.
The decision to publish a full working exploit rather than a high-level technical description substantially raises the risk for unpatched organizations. A researcher or threat actor with network access to an unpatched LoadMaster can now follow the documented chain without needing to independently reproduce the vulnerability research. watchTowr’s publication came three weeks after Progress released the fix — a standard disclosure timeline intended to give organizations sufficient time to patch before exploit code is public. Organizations that did not apply the June 4 advisory within that window now face working public exploit code.
Progress Kemp LoadMaster in Enterprise Networks
Progress Kemp LoadMaster appliances are deployed in enterprise environments to manage application traffic, provide load balancing across server farms, and handle application delivery for web and business applications. As network infrastructure appliances, they are frequently internet-facing or accessible from administrative networks with broad reach into the organization’s server infrastructure.
A pre-auth root RCE on a load balancer gives an attacker access to a device that sits in front of production systems. Beyond the appliance itself, a compromised LoadMaster can be a staging point for traffic interception, credential harvesting from proxied application sessions, or lateral movement toward the server infrastructure behind it.
Organizations running LoadMaster should confirm their appliance versions and apply GA v7.2.63.2 or LTSF v7.2.54.18 immediately. Any appliance still running an affected version with the API enabled should be treated as a high-priority patching target given the availability of a working, publicly documented exploit chain.
