Full Report
Progress security advisory (AV26-552)
Analysis Summary
# Vulnerability: Critical Flaws in Progress Sitefinity and Kemp LoadMaster (June 2026)
## CVE Details
- **CVE IDs:**
- **Kemp LoadMaster:** CVE-2026-8037, CVE-2026-33691
- **Sitefinity:** CVE-2026-7312, CVE-2026-7198, CVE-2026-7195, CVE-2026-7201, CVE-2026-7313
- **CVSS Score:** Critical (Specific numerical scores are cited in vendor-specific advisories)
- **CWE:** Multiple (Includes flaws addressed in cumulative security updates)
## Affected Systems
- **Products:**
- Sitefinity CMS and Sitefinity Insight
- Progress Kemp LoadMaster
- **Versions:**
- **Sitefinity:** Multiple versions (Check specific build versions in vendor advisory)
- **Kemp LoadMaster GA:** Version v7.2.63.1 and prior
- **Kemp LoadMaster LTSF:** Version v7.2.54.17 and prior
- **Configurations:** Systems exposed to the public internet or running vulnerable management interfaces.
## Vulnerability Description
While the advisory covers multiple CVEs, the critical updates primarily address flaws in the management surface and content management logic:
- **Kemp LoadMaster:** The vulnerabilities involve critical security bypass or remote execution risks within the LoadMaster operating system/management interface.
- **Sitefinity CMS:** The vulnerabilities address a range of issues including potential unauthorized access, data exposure, and manipulation of site content through the CMS and Insight platforms.
## Exploitation
- **Status:** Detailed as "Critical"; users are urged to patch immediately. (Note: Check vendor trust center for active exploitation reports).
- **Complexity:** Generally Low to Medium.
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Potential unauthorized access to sensitive data)
- **Integrity:** High (Risk of unauthorized modification of system configurations or site content)
- **Availability:** High (Critical vulnerabilities could lead to system compromise or service disruption)
## Remediation
### Patches
Progress recommends upgrading to the following (or newer) versions:
- **Kemp LoadMaster GA:** Upgrade to v7.2.63.2 or later.
- **Kemp LoadMaster LTSF:** Upgrade to v7.2.54.18 or later.
- **Sitefinity CMS:** Consult the specific "May 2026 Security Advisory" link below for the cumulative hotfix applicable to your specific version branch.
### Workarounds
- Limit access to the LoadMaster management interface to trusted internal networks only.
- Ensure Sitefinity administrative backends are protected by IP whitelisting or robust Multi-Factor Authentication (MFA).
## Detection
- Monitor for unusual administrative login attempts or configuration changes on LoadMaster appliances.
- Review Sitefinity audit logs for unauthorized content modifications or API calls to `/Sitefinity/` endpoints.
- Use vulnerability scanners with updated definitions for the identified CVEs.
## References
- Progress Kemp Security Bulletin: hxxps[://]community[.]progress[.]com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691
- Sitefinity Security Advisory: hxxps[://]community[.]progress[.]com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026
- Progress Trust Center: hxxps[://]www[.]progress[.]com/trust-center
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/progress-security-advisory-av26-552