CVE-2026-8037
published 2026-06-04CVE-2026-8037: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on…
PriorityP265critical9.6CVSS 3.1
AVAACLPRNUINSCCHIHAH
EPSS
1.87%
76.7th percentile
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress_software | ecs_connections_manager | >= V7.2.60.0 < V7.2.63.2 | V7.2.63.2 |
| progress_software | loadmaster | >= V7.2.45.12 < V7.2.54.18 | V7.2.54.18 |
| progress_software | loadmaster | >= V7.2.60.0 < V7.2.63.2 | V7.2.63.2 |
| progress_software | moveit_waf | >= V7.2.60.0 < V7.2.63.2 | V7.2.63.2 |
| progress_software | object_scale_connection_manager | >= V7.2.60.0 < V7.2.63.2 | V7.2.63.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the /accessv2 API endpoint on LoadMaster appliances, especially those containing JSON bodies with an 'apiuser' key alongside numerous extra key-value pairs (spray pattern), which is indicative of the null-terminator exploit technique. ↗
- →Alert on unauthenticated API requests to LoadMaster that contain abnormally large numbers of JSON key-value pairs in a single request body, as this is the mechanism used to place attacker-controlled command injection payloads adjacent to the sanitized input buffer. ↗
- →Flag any shell command execution originating from the LoadMaster API process running as root, particularly when triggered without prior authentication, as the vulnerability allows pre-auth root command execution. ↗
- →A public working proof-of-concept was released by watchTowr Labs on June 29, 2026. Treat any exploitation attempts against LoadMaster GA v7.2.63.1 and older, or LTSF v7.2.54.17 and older with the API enabled, as high-priority incidents. ↗
- ·The vulnerability is only exploitable when the LoadMaster API is enabled. Disabling the API removes the attack surface entirely. ↗
- ·Fixed versions are GA v7.2.63.2 and LTSF v7.2.54.18. Detections targeting vulnerable versions should scope to GA ≤7.2.63.1 and LTSF ≤7.2.54.17. ↗
- ·The root cause is in the escape_quotes() function: uninitialized buffer allocation and missing null terminator. Detections based on sanitization bypass may not apply to patched versions where calloc (zero-filling) and an explicit null terminator have been added. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Progress LoadMaster API command injection
vuldb·2026-06-04·CVSS 9.6
CVE-2026-8037 [CRITICAL] Progress LoadMaster API command injection
A vulnerability was found in Progress LoadMaster, ECS Connections Manager, Object Scale Connection Manager and MOVEit WAF. It has been classified as critical. The impacted element is an unknown function of the component API. Performing a manipulation results in command injection.
This vulnerability is identified as CVE-2026-8037. The attack can only be performed from the local network. There is not any exploit available.
Upgrading the affected component is recommended.
GHSA
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting uns
ghsa_unreviewed·2026-06-04
CVE-2026-8037 [CRITICAL] CWE-77 OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting uns
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints
No detection rules found.
No public exploits indexed.
2026-06-04
Published