There is a specific kind of appliance in a lot of business networks that almost nobody thinks about until it breaks: the load balancer that sits out front, quietly deciding which server answers each request. When that box is healthy, you never hear about it. When it has a pre-authentication flaw, it stops being your doorman and becomes an open door.
That is exactly the situation this week with Progress Kemp LoadMaster, and attackers have already started knocking.
## ⚡ The 60-Second Version
>
- What: A critical flaw (CVE-2026-8037, CVSS 9.6) in Progress Kemp LoadMaster lets an unauthenticated attacker run commands as root on the appliance — no password, no login. It only affects units with the management API enabled.
- Fix: Update to GA v7.2.63.2 or LTSF v7.2.54.18 (or newer). If you can't patch today, turn off or firewall the API interface so it isn't reachable from the internet.
- By when: Now. Active exploitation attempts began June 29, 2026, and a full technical write-up with a working exploit is now public.
What a "LoadMaster" actually is, in plain English
A load balancer is the traffic cop for your applications. If your company runs a website, a customer portal, an email system, or a line-of-business app that needs to stay up, a device like LoadMaster sits in front of it — spreading requests across servers, handling encryption, and keeping things responsive when you're busy. Progress Kemp LoadMaster is a popular one, and you'll find it in healthcare offices, law firms, manufacturers, and any mid-sized shop that outgrew a single server.
Because it sits at the very edge of the network — facing the internet by design — it's one of the first things an attacker sees. That's what makes this flaw serious. A bug deep inside an internal file server is bad. A bug on the box that greets every visitor is worse.
What actually went wrong
Security researchers at watchTowr Labs published the full story, and it's a textbook example of a small coding mistake with big consequences. Inside LoadMaster there's a helper function whose job is to safely handle special characters in the text you send it. It had two defects: it handed back a chunk of memory it never properly cleaned, and it forgot to mark where the safe text ended.
You don't need to follow the internals. Here's the outcome: by sending specially crafted requests to the appliance's API endpoint, an unauthenticated attacker can confuse the device into running their own commands — as root, the most powerful account on the box. From there, they own the appliance, and the appliance is standing in front of your applications.
The one meaningful limit: this only works when LoadMaster's management API is turned on. Plenty of shops enable it for automation and monitoring, so don't assume you're safe — go check.
Why "no successful breaches yet" is not the same as "safe"
Here's the honest, non-scary version of the timeline. The team at eSentire reported that exploitation attempts against this flaw began on June 29, 2026, from a handful of internet addresses. So far, those particular attempts failed and no follow-on activity was seen.
That is good news for exactly one day. When a critical edge-appliance flaw has a public write-up and attackers are already probing for it, the gap between "attempts" and "successful compromise" tends to close fast. The people scanning the internet don't need to be clever — they need to find one unpatched box that still has the API exposed. Don't let yours be the one they find.
What this means for your business
If you run Progress Kemp LoadMaster — or you're not sure whether you do — treat this as a this-week item:
- Find out if you have one. Ask your IT provider (or check your own gear) whether a Kemp/Progress LoadMaster is anywhere in your environment. It's often installed once and forgotten.
- Patch to a fixed version. Update to GA v7.2.63.2 or LTSF v7.2.54.18 or newer. This is the real fix; everything else is a stopgap.
- If you can't patch immediately, shrink the target. Disable the management API if you don't need it, and make sure the management interface is never reachable from the public internet — only from a trusted internal network or VPN.
- Look back, not just forward. Have someone review the appliance's logs for unexpected requests to the API endpoint since June 29. Patching closes the door; it doesn't tell you whether someone already walked through it.
And the broader lesson, even if you've never heard of LoadMaster: the boxes at your edge — firewalls, VPNs, load balancers, remote-access gateways — deserve the same patch discipline as your laptops. All year we've watched attackers favor exactly these devices, because one flaw there can bypass every other control you've bought. Know what you have facing the internet, and keep it current.
How BVTech helps
For our managed clients, this is the quiet part of the job you're paying for: we keep an inventory of the internet-facing gear in your environment, we track advisories like this one the day they land, and edge appliances get patched on a schedule you don't have to think about. If you run a LoadMaster or any other perimeter device and you're not certain it's current, that's a five-minute conversation worth having.
If you're not a client yet and you'd like a straight answer on what you have exposed to the internet — and whether it's patched — book a call or take a look at our cybersecurity services. No fear-selling, just a clear picture of where you stand.
— Jordan Polasek · Founder, BVTech LLC