Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now. Progress published its advisory on June

The article reports a critical OS command injection / remote code execution vulnerability (CVE-2026-8037) in Progress Kemp LoadMaster’s API that allows an unauthenticated attacker to execute arbitrary commands as root via crafted requests, with a CVSS score around 9.6–9.8, and patches now available from Progress.[2][3][10] Progress’ June 2026 bulletin confirms the issue and indicates fixed versions (e.g., LMOS 7.2.63.2) for affected LoadMaster releases.[2][7][10] From a CyberSE.AI perspective, any AI agents or AI infrastructure front-ended, load-balanced, or protected by vulnerable LoadMaster appliances inherit this exposure in their AI supply chain, meaning compromise of the appliance can lead to downstream service takeover, traffic manipulation, or exfiltration of AI-related data and secrets. Organizations should treat LoadMaster and similar ADC/WAF components as critical AI-adjacent infrastructure, incorporate them in SBOM-driven risk management, and rapidly patch or isolate affected instances, especially where APIs are enabled and used by AI systems.