cbcvebase.
CVE-2026-8037
published 2026-06-04

CVE-2026-8037: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on…

PriorityP265critical9.6CVSS 3.1
AVAACLPRNUINSCCHIHAH
EPSS
1.87%
76.7th percentile
OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints

Affected

5 ranges
VendorProductVersion rangeFixed in
progress_softwareecs_connections_manager>= V7.2.60.0 < V7.2.63.2V7.2.63.2
progress_softwareloadmaster>= V7.2.45.12 < V7.2.54.18V7.2.54.18
progress_softwareloadmaster>= V7.2.60.0 < V7.2.63.2V7.2.63.2
progress_softwaremoveit_waf>= V7.2.60.0 < V7.2.63.2V7.2.63.2
progress_softwareobject_scale_connection_manager>= V7.2.60.0 < V7.2.63.2V7.2.63.2

Detection & IOCsextracted from sources · hover to see the quote

url/accessv2
  • Detect unauthenticated POST requests to the /accessv2 API endpoint on LoadMaster appliances, especially those containing JSON bodies with an 'apiuser' key alongside numerous extra key-value pairs (spray pattern), which is indicative of the null-terminator exploit technique.
  • Alert on unauthenticated API requests to LoadMaster that contain abnormally large numbers of JSON key-value pairs in a single request body, as this is the mechanism used to place attacker-controlled command injection payloads adjacent to the sanitized input buffer.
  • Flag any shell command execution originating from the LoadMaster API process running as root, particularly when triggered without prior authentication, as the vulnerability allows pre-auth root command execution.
  • A public working proof-of-concept was released by watchTowr Labs on June 29, 2026. Treat any exploitation attempts against LoadMaster GA v7.2.63.1 and older, or LTSF v7.2.54.17 and older with the API enabled, as high-priority incidents.
  • ·The vulnerability is only exploitable when the LoadMaster API is enabled. Disabling the API removes the attack surface entirely.
  • ·Fixed versions are GA v7.2.63.2 and LTSF v7.2.54.18. Detections targeting vulnerable versions should scope to GA ≤7.2.63.1 and LTSF ≤7.2.54.17.
  • ·The root cause is in the escape_quotes() function: uninitialized buffer allocation and missing null terminator. Detections based on sanitization bypass may not apply to patched versions where calloc (zero-filling) and an explicit null terminator have been added.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.