What is CVE-2026-8037?
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Timeline
- 2026-06-04Published to the U.S. National Vulnerability Database (NVD)
- 2026-07-01NVD record last updated
Affected product
See advisory
Remediation Steps
- Apply Progress vendor patch addressing OS command injection flaw
- Review access controls to Kemp LoadMaster management interfaces
- Monitor system logs for evidence of exploitation attempts
- Test patching in a non-production environment first
References
- https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
- https://labs.watchtowr.com/enterprise-tech-in-shell-out-progress-kemp-loadmaster-uninitialized-heap-to-pre-auth-rce-cve-2026-8037/
- https://nvd.nist.gov/vuln/detail/CVE-2026-8037
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Referenced in our briefings & reports
- Vulnerability Priority Report – Week 5 of June 2026 (June 29 – July 5)
Browse all tracked CVEs in the defend.network CVE database →
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.