Critical Remote Code Execution in Kemp LoadMaster (CVE‑2026‑3517) Threatens Load‑Balancing Services
What It Is — Progress Software’s Kemp LoadMaster appliance contains a command‑injection flaw in the addcountry (customLocation) parameter that permits an authenticated remote attacker to execute arbitrary system commands.
Exploitability — The vulnerability (CVSS 8.8, AV:N/AC:L/PR:L/UI:N) is actively exploitable; proof‑of‑concept code has been shared publicly. Authentication is required, but once valid credentials are obtained the attacker can gain full code execution on the appliance.
Affected Products — Kemp LoadMaster (all versions prior to the 7.2.63‑1 security update).
TPRM Impact —
- Load balancers sit at the front‑line of many SaaS, e‑commerce, and cloud‑hosted services; compromise can cascade to downstream applications.
- A breached LoadMaster can be leveraged to pivot into internal networks, exposing customer data and disrupting critical business continuity.
Recommended Actions —
- Deploy the vendor‑provided patch (LoadMaster 7.2.63‑1 or later) immediately.
- Enforce strong, unique credentials for appliance administration; rotate any passwords that may have been used before patching.
- Restrict management‑plane access to trusted IP ranges and enable multi‑factor authentication where supported.
- Conduct a post‑patch validation scan to confirm the vulnerability is mitigated.
- Review network segmentation to ensure a compromised load balancer cannot directly reach sensitive back‑end systems.
Source: Zero Day Initiative advisory