A load balancer sees every request before your applications do, which is exactly why a CVSS 9.8, unauthenticated, root-level vulnerability in one is as bad as it gets. CVE-2026-8037 hits Progress Kemp LoadMaster, and as of June 29, watchTowr Labs has published a full technical write-up of the exploit chain — meaning a public proof-of-concept now exists for a bug that requires zero credentials to get root.
A sanitization function that didn't sanitize
The root cause is in escape_quotes(), a function meant to escape single quotes in user input before it's inserted into a shell command. Two bugs compound here: the function allocates its output buffer with malloc(), which doesn't zero-initialize memory, so the buffer starts out full of whatever uninitialized heap data was already there. Then it fails to write a null terminator after the escaped string. When that pointer later gets used in a sprintf/system() call to build a shell command, the missing terminator lets sprintf read past the buffer into adjacent, attacker-influenceable heap memory. watchTowr's write-up — titled "Enterprise Tech In, Shell Out" — walks the full path from that uninitialized read to unauthenticated root command execution.
It affects LoadMaster GA 7.2.63.1 and earlier, and LTSF 7.2.54.17 and earlier, specifically when the API feature is enabled. Progress's advisory also covers a related CVE, CVE-2026-33691, and the underlying issue reportedly extends to ECS Connection Manager, Object Scale Connection Manager, and MOVEit WAF — worth checking if any of those are in your environment.
Why the timeline matters more than usual
Progress published the advisory on June 4 with no evidence of active exploitation at the time. That changed the moment watchTowr's technical breakdown went public on June 29 — a working exploit chain compresses the gap between disclosure and mass exploitation from weeks to days. If you haven't patched since June 4, treat this as active risk today, not a maintenance window item.
Why a compromised load balancer is worse than a compromised server
Root on a LoadMaster appliance means an attacker can intercept or modify traffic to everything behind it, pivot into the internal network the appliance sits on, and disable the health-check and availability functions the appliance exists to provide. Network appliances like this also tend to sit outside standard EDR coverage since they're not conventional servers, which is exactly why they're attractive as a foothold — they're under-monitored by default.
Upgrade to LoadMaster GA 7.2.63.2 or LTSF 7.2.54.18 now. If you can't patch immediately, disable the API feature and restrict management-plane access to trusted internal networks as a stopgap — that alone removes the vulnerable surface. Then go back through logs since June 4 for anomalous API activity, because "no evidence of exploitation" from three weeks ago doesn't mean much once the exploit chain is public.