External risk intelligence

Progress LoadMaster OS Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-8037

The vulnerability affects LoadMaster appliances, which are internet-facing network edge devices (load balancers) designed to handle and manage traffic at the network perimeter. As these appliances are public-facing by design in their standard deployment role, the affected API endpoints are highly likely to be reachable from the internet.

Command Injection

Progress Connection Manager For Objectscale

before 7.2.63.2before 7.2.54.187.2.55.0 to before 7.2.63.2

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Progress products, specifically impacting their LoadMaster appliances and related connection managers. An unauthenticated attacker can exploit this flaw to execute arbitrary commands remotely by sending unsanitized input to certain API endpoints. The main concern is to confirm if these affected products are in use and exposed to the internet, as the vulnerability allows for significant system compromise.

  • Unauthenticated attackers can run commands remotely.
  • Critical network devices could be compromised.
  • Confirm product use and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending specially crafted input to specific command endpoints on the appliance. If the input is not properly sanitized, it could allow the attacker to execute arbitrary operating system commands, potentially leading to full compromise of the affected device.

  • No authentication required.
  • Input to command endpoints.
  • Arbitrary command execution risk.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could execute arbitrary commands on a LoadMaster appliance by sending unsanitized input to specific command endpoints. This could allow for complete compromise of the affected system.

  • System commands could be executed.
  • Exploits unsanitized API input.
  • Full system compromise is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world action for this vulnerability likely involves Progress application owners and infrastructure teams, as it impacts Progress LoadMaster appliances. The initial practical step is to locate all instances of the affected technology, verify their exposure to the internet or critical business functions, and identify the specific asset owners to coordinate remediation efforts.

  • Identify affected Progress LoadMaster assets.
  • Confirm external reachability and business criticality.
  • Plan remediation based on identified ownership and risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Progress LoadMaster appliance used for?

LoadMaster is a network load balancer used by organizations to manage, distribute, and optimize incoming traffic across their servers. It acts as a critical gateway at the network edge, ensuring applications remain available and performant by intelligently routing requests. Because it manages this incoming traffic, it is typically positioned to interface directly with external networks.

How does CVE-2026-8037 cause a vulnerability?

This CVE involves a weakness known as CWE-77, or OS Command Injection. It occurs when an application fails to properly sanitize or filter user-supplied data before including it in a system command. By sending specially crafted input to affected API endpoints, an attacker can trick the system into executing unauthorized, arbitrary operating system commands with the privileges of the application.

Do I need to be authenticated to trigger CVE-2026-8037?

No. The vulnerability exists in API endpoints that do not require authentication to access. This means an attacker can send malicious requests directly to the appliance without needing valid user credentials or prior system access. The trigger requires sending unsanitized input to these specific, vulnerable command endpoints.

Is my system at risk if it is not internet-facing?

Halo Surface Signal indicates that LoadMaster appliances are commonly deployed at the network perimeter, making them highly likely to be reachable from the internet. While internet-facing instances are at the highest risk, any device running the affected software version is susceptible to this command injection. You should evaluate all instances of these products regardless of their current network placement.

How do I respond to the CVE-2026-8037 threat?

Start by identifying all instances of LoadMaster and related connection managers within your environment to determine if they are running affected software versions. Verify their network exposure and business criticality. Once identified, work with the relevant asset owners to prioritize these systems for the necessary security updates provided by the vendor.

References