🔴 Critical | Source: The Hacker News
A critical unauthenticated remote code execution vulnerability (CVE-2026-8037) in Progress Kemp LoadMaster allows an attacker to run arbitrary commands as root simply by sending a crafted API request — no credentials required. With a CVSS score of 9.8, this is as severe as vulnerabilities get, and any internet-exposed LoadMaster appliance with the API enabled is at immediate risk. A patch has been released and should be applied without delay.
Security Architect’s Take: Prioritise emergency patching of all LoadMaster appliances immediately; if patching cannot be completed right away, disable the management API and restrict access to it via network controls or firewall rules to trusted management IP ranges only.
Original advisory: Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth