Threat Advisory

Progress Kemp LoadMaster Vulnerability Allows multiple RCE and WAF Bypass

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Progress Kemp LoadMaster application delivery controllers, impacting both General Availability (GA) and Long-Term Support (LTSF) versions. These vulnerabilities, classified as Remote Code Execution and Web Application Firewall (WAF) bypass, could allow authenticated attackers to seize control of appliances or evade critical security filters. The overall business risk is significant, as successful exploitation could lead to data breaches, system compromise, and reputational damage.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Progress Kemp LoadMaster application delivery controllers, impacting both General Availability (GA) and Long-Term Support (LTSF) versions. These vulnerabilities, classified as Remote Code Execution and Web Application Firewall (WAF) bypass, could allow authenticated attackers to seize control of appliances or evade critical security filters. The overall business risk is significant, as successful exploitation could lead to data breaches, system compromise, and reputational damage.[emaillocker id="1283"]

CVE-2026-3517 with a CVSS score of 9.1 – This vulnerability involves OS Command Injection, allowing an authenticated user to move beyond the management interface and execute arbitrary commands directly on the underlying LoadMaster appliance.

CVE-2026-3518 with a CVSS score of 9.1 – This vulnerability also involves OS Command Injection, allowing an authenticated user to move beyond the management interface and execute arbitrary commands directly on the underlying LoadMaster appliance.

CVE-2026-3519 with a CVSS score of 9.1 – This vulnerability targets the LoadMaster API, allowing an attacker to exploit unsanitized input and execute arbitrary commands.

CVE-2026-4048 with a CVSS score of 9.1 – This vulnerability occurs during the file upload process for custom WAF rules in the user interface, allowing a specially crafted multipart request to contain an encoded malicious payload that will bypass WAF detection.

The severity of the vulnerabilities makes immediate patching essential to mitigate these risks. If exploited, the vulnerabilities could lead to significant business consequences, including data breaches, system compromise, and reputational damage.

RECOMMENDATION:

We recommend you to update Kemp LoadMaster to below versions:

  • LoadMaster GA to version v7.2.63.1
  • LoadMaster LTSF to version v7.2.54.17
  • ECS Connection Manager to version v7.2.63.1
  • Connection Manager for ObjectScale to version v7.2.63.1

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/kemp-loadmaster-vulnerabilities-waf-bypass-os-injection/

[/emaillocker]
crossmenu