Kemp LoadMaster API Flaw Enables Authenticated RCE: CVSS 8.8 Vulnerability Patched
CVE-2026-3517 in Progress Software Kemp LoadMaster allows authenticated users to execute arbitrary code via command injection in the customLocation parameter.…
On May 21, 2026, the Zero Day Initiative published advisory ZDI-26-319, detailing a command injection vulnerability in Progress Software Kemp LoadMaster that enables authenticated remote code execution (RCE). The flaw exists within the customLocation parameter of the addcountry API command. A lack of proper input validation before executing system calls allows an attacker to concatenate and execute underlying operating system commands. Progress Software has released a fix for this Application Delivery Controller (ADC) positioned within the network perimeter.
- Vulnerability CVE-2026-3517, disclosed May 21, 2026, enables authenticated RCE in Kemp LoadMaster via command injection in the
customLocationparameter of theaddcountryAPI command. - ZDI rates the severity at CVSS 8.8 (HIGH) with a network attack vector, while the CVE Record reports 8.4 (HIGH) with an adjacent network vector and high privileges.
- Progress Software addressed the defect in LoadMaster 7.2.63.1, documenting the fix as LM-8727: "Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API."
- Exploitation requires authentication; the CVE Record specifies that an attacker must possess "Geo Administration" permissions.
- The advisory identifies the vulnerability in affected installations of Kemp LoadMaster.
Attack Mechanics: From Geolocation to Appliance Control
The addcountry command is used to add custom geographic locations for traffic routing, a standard ADC function for global load balancing. According to the ZDI advisory, "the specific vulnerability exists within the handling of the customLocation parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call."
The CVE Record identifies "unsanitized input in the addcountry command" executable by "an authenticated attacker with 'Geo Administration' permissions." The combination of unsanitized input and geographic administrative permissions creates an attack surface where a user in a specific role can gain control of the appliance.
The discrepancy between CVSS vectors is notable. ZDI assigns AV:N (Attack Vector: Network), implying reachability from any point on the network. Conversely, the CVE Record reports AV:A (Attack Vector: Adjacent Network), PR:H (Privileges Required: High), and S:C (Scope Changed). This combination reflects differing interpretations of typical LoadMaster deployment topologies.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is required to exploit this vulnerability." — Advisory ZDI-26-319
Why Load Balancers Represent a Perimeter Blind Spot
Application Delivery Controllers like Kemp LoadMaster occupy a unique architectural position: they process traffic, terminate SSL connections, route requests to backends, and manage security policies. Compromising an ADC grants the ability to intercept or modify the data flow of the application stack.
This centrality often contrasts with operational reality. Security teams frequently focus on endpoints and cloud workloads, while network appliances may receive less frequent patching. CVE-2026-3517 exemplifies this risk: a "Geo Administration" role becomes a vector for system compromise.
The timeline confirms the interval for remediation. The vulnerability was reported to Progress on February 23, 2026, and coordinated disclosure occurred on May 21, 2026—an 88-day window.
Patch Analysis and Documentation
Progress Software documented the fix in the release notes for LoadMaster 7.2.63.1, identifying the resolution as LM-8727: "Fixed an issue that allowed an authenticated user to inject arbitrary OS commands through the API." The CVE Record provides additional granularity regarding the requirement for "Geo Administration" permissions. This detail is critical for modeling insider threats or compromised accounts; consequently, mitigation involves both patching and a review of role assignments.
Mitigation and Response
- Verify the installed version of Kemp LoadMaster against version 7.2.63.1; Progress release notes confirm the fix for authenticated API command injection (LM-8727).
- Audit accounts with "Geo Administration" permissions following the principle of least privilege, as the CVE Record identifies this role as a prerequisite for exploitation.
- Monitor API access logs for calls to the
addcountrycommand containing anomalouscustomLocationparameters.
When the Perimeter Becomes the Problem
The discovery of CVE-2026-3517 follows a pattern where network infrastructure appliances accumulate security debt until disclosure. The Kemp LoadMaster case demonstrates how an authenticated vulnerability can result in systemic compromise due to the target's strategic position.
The difference between the 8.8 and 8.4 CVSS scores indicates evaluative variations that organizations must internalize. Both metrics signal high risk. While there is currently no evidence of in-the-wild exploitation, the publication of the ZDI advisory exposes the attack vector to reverse engineering.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-319/
- https://www.cve.org/CVERecord?id=CVE-2026-3517
- https://www.zerodayinitiative.com/advisories/
- http://nvd.nist.gov/cvss.cfm?calculator&version=3.0&vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- https://www.progress.com/
- https://docs.progress.com/bundle/release-notes_loadmaster-7-2-63-1/page/Security-Updates.html
Information verified against cited sources and current as of publication.