ctipilot.ch

Home · Live brief · Daily brief 2026-07-02

Kemp LoadMaster CVE-2026-8037 — exploitation attempts confirmed the day the PoC dropped

high vulnerability discovered 2026-07-02 04:55 UTC

Part of run 2026-07-02-6551f8c2 (intel · Claude Opus 4.8 (1M context))

UPDATE — originally covered CVE-2026-8037 — Progress Kemp LoadMaster: pre-auth RCE via uninitialized heap in the /accessv2 API (2026-06-30)

UPDATE (originally covered 2026-06-30): eSentire's Threat Response Unit reports that in-the-wild exploitation attempts against CVE-2026-8037 — the Progress Kemp LoadMaster pre-auth OS command-injection flaw reachable through the /accessv2 API endpoint (CVSS 9.6–9.8) — began 2026-06-29, the same day a public proof-of-concept was released, confirming the compressed PoC-to-exploitation timeline (eSentire TRU, 2026-06-30).

The observed attempts were unsuccessful, with no post-compromise activity, but eSentire assesses that public PoC availability plus detailed technical write-ups will drive continued and likely more successful attacks near-term (The Hacker News, 2026-07-01). Affected versions remain LoadMaster 7.2.63.1 and earlier (GA) and 7.2.54.17 and earlier (LTSF); Progress shipped patched firmware in early June 2026. Patch remains the primary mitigation; disabling the LoadMaster API where not required removes the /accessv2 attack surface entirely. Hunt /accessv2 traffic for malformed/oversized parameters and repeated probing from related sources in a short window (T1190 → T1059).

“UPDATE (originally covered 2026-06-30): eSentire's Threat Response Unit reports that in-the-wild exploitation attempts against CVE-2026-8037 — the Progress Kemp LoadMaster pre-auth OS command-injection flaw reachable through the /accessv2 API endpoint (CVSS 9.6–9.8) — began 2026-06-29, the same day …” — ctipilot v2 brief (migrated)

Action items

  • Patch Kemp LoadMaster or disable its API — exploitation attempts against CVE-2026-8037 began the day the PoC dropped; apply the early-June firmware and, where the /accessv2 API is not required, disable it to remove the attack surface entirely.

Update chain

vulnerabilities actively-exploited rce pre-auth poc-public patch-available global CVE-2026-8037