CVE-2026-8037
Confirmed PUBLISHEDOS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF
Not yet in CISA KEV
Recommended Action
Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
At a Glance
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
- CVE Published
- Jun 04, 2026
- Exploitation Reported
- Jul 01, 2026
- CVSS
- 9.6 Critical
- EPSS
- 8.2%
Affected Versions
| Vendor | Product | Version | Status | Source |
|---|---|---|---|---|
| Progress Software |
LoadMaster
|
V7.2.60.0 to < V7.2.63.2 |
Affected | CNA |
| Progress Software |
LoadMaster
|
V7.2.45.12 to < V7.2.54.18 |
Affected | CNA |
| Progress Software |
ECS Connections Manager
|
V7.2.60.0 to < V7.2.63.2 |
Affected | CNA |
| Progress Software |
Object Scale Connection Manager
|
V7.2.60.0 to < V7.2.63.2 |
Affected | CNA |
| Progress Software |
MOVEit WAF
|
V7.2.60.0 to < V7.2.63.2 |
Affected | CNA |
CVE References
Recommended Actions
- Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
- Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| TheHackerNews First | 2026-07-01 14:51 UTC |
| KEVIntel | 2026-07-01 17:30 UTC |
Operational indicators for this CVE are listed on the Detection tab.
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 1
- Unique Attacker IPs
- 1
- Attacker Countries
- 🇺🇸
- Sensors Observed
- 1
Exploitation Attempts Over the Last 30 Days
First observed 2026-07-01 17:26 UTC · Last observed 2026-07-01 17:26 UTC
See more exploitation detail
- Pro — sensor software/region breakdown and 24h/7d window summaries.
- Enterprise — raw attacker IPs, request paths, User-Agents, and payloads.
Indicators of Compromise (IoCs)
Operational indicators linked to exploitation of this CVE. IoCs age over time — especially IP addresses.
Observed Detection Signals (30d)
Aggregate counts from KEVIntel sensor telemetry for this CVE.
- Distinct request paths
- 1
- Distinct User-Agents
- 1
The specific request paths and User-Agents attackers are using are available on Pro and Enterprise plans.
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users via the Pro API.
Learn About Virtual PatchesCVSS Scores
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-07-01 14:51:57 UTC · TheHackerNews
Active exploitation observed
Recorded 2026-07-01 17:26:49 UTC · KEVIntel sensor
Proof of concept available
Recorded 2026-06-30 07:57:54 UTC · GitHub
Weaknesses (CWE)
-
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Recent Mentions
TheHackerNews · Jul 01, 2026
A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve
TheHackerNews · Jun 30, 2026
A critical vulnerability in Progress Kemp LoadMaster can let an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw, tracked as CVE-2026-8037, carries a CVSS score of 9.8 according to ZDI. A patch is available. If you run LoadMaster with the API enabled, update now. Progress published its advisory on June
Watchtower Labs · Jun 29, 2026
Welcome back to another watchTowr Labs blog post.This time, we're looking at Progress Kemp LoadMaster, a load balancer that sits at the edge of a lot of enterprise networks. Edge appliances have a habit of becoming the way in rather than the thing keeping people out, and
Zero Day Initiative Published Advisories · Jun 09, 2026
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-8037.
Zero Day Initiative Published Advisories · Jun 09, 2026
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2026-8037.
Zero Day Initiative Published Advisories · Jun 09, 2026
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2026-8037.
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
17:26 UTC about 4 hours ago17:26 UTC · about 4 hours ago
Observed by KEVIntel sensors
Evidence-backed exploitation signal
-
14:51 UTC about 7 hours ago14:51 UTC · about 7 hours ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
14:53 UTC 1 day ago14:53 UTC · 1 day ago
Indicators of compromise added (4)
Indicators of compromise recorded
-
07:57 UTC 1 day ago07:57 UTC · 1 day ago
Public PoC available
Public proof-of-concept code published
-
13:13 UTC 27 days ago13:13 UTC · 27 days ago
CVE published
Vulnerability disclosed publicly
-
13:35 UTC about 2 months ago13:35 UTC · about 2 months ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2026-8037
{
"cve_id": "CVE-2026-8037",
"title": "OS Command Injection Remote Code Execution Vulnerability in Progress LoadMast...",
"affected_vendor": "Progress Software",
"affected_product": "LoadMaster, ECS Connections Manager, Object Scale Connection Manager, MOVEit WAF",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.6,
"epss_score": 0.0819,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": true
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}