Critical Remote Code Execution in Progress Software Kemp LoadMaster (CVE‑2026‑3518) Threatens Load‑Balancing Appliances
What It Is — A command‑injection flaw in the ssodomain_killsession endpoint of Kemp LoadMaster appliances allows an authenticated remote attacker to execute arbitrary system commands. The vulnerability stems from insufficient validation of a user‑supplied string before it is passed to a system call.
Exploitability — The vulnerability is actively exploitable once an attacker obtains valid credentials; a proof‑of‑concept has been published by the Zero Day Initiative. CVSS v3.1 base score 8.8 (High) (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Affected Products — Progress Software Kemp LoadMaster (all versions prior to the 7.2.63‑1 security update).
TPRM Impact — LoadMaster devices are often deployed as third‑party load‑balancing or reverse‑proxy services for SaaS platforms, e‑commerce sites, and internal applications. A successful RCE can lead to lateral movement, data exfiltration, or service disruption across the supply chain, exposing downstream customers to breach risk.
Recommended Actions
- Verify the appliance firmware version; upgrade immediately to LoadMaster 7.2.63‑1 or later.
- Enforce strong, unique credentials for all administrative accounts; rotate passwords if reuse is suspected.
- Deploy network segmentation and restrict access to the management interface (e.g., VPN‑only, IP‑allowlists).
- Monitor logs for anomalous
ssodomain_killsessioncalls and enable intrusion‑detection signatures for command‑injection patterns. - Conduct a rapid risk assessment of any services that rely on the affected LoadMaster instance.