FixVibe
Research notecritical

Unauthenticated RCE in Progress LoadMaster via API Command Injection (CVE-2026-8037)

Progress ADC LoadMaster appliances are vulnerable to a critical unauthenticated remote code execution (RCE) vulnerability. The flaw exists in the API's handling of multiple command endpoints, where unsanitized input allows attackers to inject and execute arbitrary OS commands on the appliance.

CVE-2026-8037CWE-77

Impact

An unauthenticated attacker can achieve full remote code execution (RCE) on the Progress LoadMaster appliance [S1]. This allows for complete system compromise, data exfiltration, and lateral movement within the network [S1].

Root Cause

The vulnerability is caused by improper sanitization of user-supplied input within multiple API command endpoints [S1]. Specifically, the application fails to neutralize special characters or sequences that are subsequently passed to the underlying operating system's command shell (CWE-77) [S1].

How FixVibe could detect it

FixVibe could detect this vulnerability through a multi-stage process:

  • Product Identification: FixVibe's passive scanner can identify Progress LoadMaster appliances by analyzing HTTP response headers, server banners, or unique web interface artifacts [S1].
  • API Endpoint Discovery: The scanner can map known API command endpoints associated with Progress ADC products [S1].
  • Active Probing: For identified instances, FixVibe could deploy gated active probes that attempt to trigger non-destructive indicators of command injection, such as time-based delays or out-of-band DNS interactions, by sending specifically crafted payloads to the vulnerable API endpoints [S1].

Concrete Fixes

Administrators should immediately apply the security updates provided by Progress for affected LoadMaster products to remediate the unsanitized input handling in the API [S1]. Disabling or restricting access to the management API from untrusted networks is also recommended as a defense-in-depth measure.

Unauthenticated RCE in Progress LoadMaster via API Command Injection (CVE-2026-8037) β€” FixVibe research Β· FixVibe