CVE- 2026-8037 is a critical vulnerability affecting Progress Kemp LoadMaster, enabling pre-authenticated Remote Code Execution (RCE) via OS command injection through the product’s API. Active exploitation attempts began on June 29, 2026, coinciding with the public release of a proof-of-concept code. The affected versions include LoadMaster GA v7.2.63.1 and older, and LTSF v7.2.54.17 and older.
The exploitation risk is heightened as the LoadMaster often operates at a sensitive network edge, making it a significant target for attackers. Organizations are advised to prioritize firmware updates and reduce API exposure. Key mitigation strategies include restricting access to trusted networks and monitoring for suspicious activity.