A CVSS 9.8 pre-authentication remote code execution vulnerability in Progress Kemp LoadMaster — a widely deployed application delivery controller (ADC) and load balancer — was quietly patched in early June 2026, but the risk level shot up dramatically on June 29, 2026 when watchTowr Labs published a working proof-of-concept exploit. Any attacker who can reach the LoadMaster REST API (the /accessv2 endpoint) over the network can run arbitrary commands as root — without providing a username, password, or any other credential.

The bug is a classic heap memory handling mistake in the escape_quotes() function: an uninitialized malloc() buffer combined with a missing null terminator lets an attacker spray attacker-controlled content into adjacent heap regions and trigger command execution via system(). With a public PoC now in the wild, the urgency to patch — or at least disable the API — is immediate.

What the Vulnerability Is

LoadMaster exposes a REST API at /accessv2 for administrative management. When a request arrives, the API parses a JSON body and passes the apiuser field through a function called escape_quotes(). That function allocates heap memory with malloc() — but unlike calloc(), malloc() does not zero-initialize the buffer. The function also fails to add a null terminator before handing the buffer to sprintf().

The result: sprintf() reads past the intended end of the buffer and into adjacent heap memory. Because LoadMaster's heap allocator is predictable, an attacker can perform a heap spray by sending dozens of JSON key-value pairs containing a shell command payload. The sprayed content occupies adjacent heap regions. When sprintf() overreads, it consumes the attacker's payload. That content eventually flows into a system() call, executing as root.

The exploit crafted by watchTowr Labs uses a specific trigger: four single-quote characters in the apiuser field cause the allocator to produce a 16-byte block that clobbers allocator metadata in a predictable way, then a series of spray key-value pairs containing the command to run complete the attack. The entire exploit chain requires no authentication.

The CVE was assigned ZDI-26-342 by the Zero Day Initiative; the discoverer is Syed Ibrahim Ahmed of TrendAI Research, who reported it to ZDI on April 15, 2026.

A second vulnerability, CVE-2026-33691, was patched in the same release. It is a WAF bypass achieved by inserting whitespace padding into filenames to evade detection — lower severity, but worth noting.

Why It Matters

LoadMaster sits at the edge of your network. It's the device that receives traffic before your web servers, APIs, or internal services do. A compromise at this layer means an attacker controls traffic routing, SSL termination, and health checks — from a root shell. From there, they can intercept all decrypted traffic, pivot to internal segments, install persistent implants, or simply take the entire load balancer offline.

The PoC changes the risk calculus. Progress patched this on June 4, 2026. In the weeks since, sophisticated actors had the patch to diff against but no published PoC. That changed on June 29 when watchTowr Labs published full technical details and exploit code. Attack complexity dropped from "expert" to "script-accessible" overnight.

No authentication required. The attack requires only network access to the API endpoint — not a valid username, not a session token, not anything. If port 443 or the management interface is exposed to the internet (or even to untrusted internal networks), your device is at risk.

Canadian Centre for Cyber Security has issued advisory av26-552 covering this vulnerability, signaling government-level concern about potential active exploitation.

Progress has not reported confirmed in-the-wild exploitation as of June 30, 2026, but given PoC availability, that status can change rapidly.

Am I Affected?

You are affected if you are running any of the following:

  • LoadMaster GA (General Availability) at version 7.2.63.1 or earlier
  • LoadMaster LTSF (Long-Term Support Feature) at version 7.2.54.17 or earlier

The attack requires the LoadMaster REST API (/accessv2) to be reachable. By default, this API is accessible from the management interface. If your management interface is exposed to the public internet, or accessible from untrusted internal hosts, your risk is elevated significantly.

To check your version: log in to the LoadMaster web UI, navigate to System Configuration → System Administration → Update Firmware, and note the build number displayed.

What To Do About It: Step-by-Step

Step 1: Update immediately to a fixed version.

  • GA release: Upgrade to 7.2.63.2 or later.
  • LTSF release: Upgrade to 7.2.54.18 or later.

Log in to the LoadMaster web UI and go to System Configuration → System Administration → Update Firmware → Download Latest Firmware. Progress's support portal also provides firmware files if direct update is not possible.

Step 2: Restrict access to the management interface and API before patching (if patching is delayed).

If you cannot patch immediately, isolate the attack surface:

  • Restrict the LoadMaster management interface to a dedicated management VLAN or jump host only.
  • Use LoadMaster's built-in Allowed Management Hosts list to whitelist only authorized IPs.
  • Block inbound access to port 443 (or whichever port your management UI uses) from untrusted networks at the perimeter firewall.
  • Consider temporarily disabling the REST API via System Configuration → RESTful API → Disable until a maintenance window allows patching.

Step 3: Review recent access logs.

Even without confirmed exploitation, post-PoC publication is the right time to review. Check LoadMaster's access logs for any unusual API calls to /accessv2 with unexpected JSON bodies — especially requests containing apiuser fields with unusual characters or long value strings.

Step 4: Apply the CVE-2026-33691 patch in the same update.

The same firmware update (GA 7.2.63.2 / LTSF 7.2.54.18) addresses the WAF bypass. Apply both at once.

Step 5: Verify your firewall rules after upgrading.

Confirm that your perimeter and internal firewall rules restrict access to the management interface to authorized hosts only. Patching the vulnerability is necessary; reducing the management attack surface is still a best practice going forward.

Quick-Win Checklist

  • Verified current LoadMaster firmware version (GA ≤ 7.2.63.1 or LTSF ≤ 7.2.54.17 = vulnerable)
  • Patched to GA 7.2.63.2 / LTSF 7.2.54.18 (or higher)
  • Confirmed management interface is not exposed to the public internet
  • Verified Allowed Management Hosts list is in place with only authorized IPs
  • Reviewed /accessv2 API access logs for suspicious patterns
  • CVE-2026-33691 (WAF bypass) also patched in the same firmware update
  • Checked Canadian Centre for Cyber Security advisory av26-552 for any updated guidance

Sources