HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Remote Code Execution in Progress Software Kemp LoadMaster (CVE-2026-3518) Threatens Load‑Balancing Appliances

A command‑injection flaw (CVE‑2026‑3518) in Progress Software’s Kemp LoadMaster allows authenticated attackers to execute arbitrary code on the appliance. The vulnerability, scored 8.8 (High) by CVSS, can compromise load‑balancing services that many third‑party SaaS providers rely on, creating a supply‑chain risk. Immediate patching and credential hardening are required.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 zerodayinitiative.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
zerodayinitiative.com

Critical Remote Code Execution in Progress Software Kemp LoadMaster (CVE‑2026‑3518) Threatens Load‑Balancing Appliances

What It Is — A command‑injection flaw in the ssodomain_killsession endpoint of Kemp LoadMaster appliances allows an authenticated remote attacker to execute arbitrary system commands. The vulnerability stems from insufficient validation of a user‑supplied string before it is passed to a system call.

Exploitability — The vulnerability is actively exploitable once an attacker obtains valid credentials; a proof‑of‑concept has been published by the Zero Day Initiative. CVSS v3.1 base score 8.8 (High) (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Affected Products — Progress Software Kemp LoadMaster (all versions prior to the 7.2.63‑1 security update).

TPRM Impact — LoadMaster devices are often deployed as third‑party load‑balancing or reverse‑proxy services for SaaS platforms, e‑commerce sites, and internal applications. A successful RCE can lead to lateral movement, data exfiltration, or service disruption across the supply chain, exposing downstream customers to breach risk.

Recommended Actions

  • Verify the appliance firmware version; upgrade immediately to LoadMaster 7.2.63‑1 or later.
  • Enforce strong, unique credentials for all administrative accounts; rotate passwords if reuse is suspected.
  • Deploy network segmentation and restrict access to the management interface (e.g., VPN‑only, IP‑allowlists).
  • Monitor logs for anomalous ssodomain_killsession calls and enable intrusion‑detection signatures for command‑injection patterns.
  • Conduct a rapid risk assessment of any services that rely on the affected LoadMaster instance.

Source: Zero Day Initiative Advisory ZDI‑26‑318

📰 Original Source
http://www.zerodayinitiative.com/advisories/ZDI-26-318/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →