Kemp LoadMaster CVE-2026-8037 now confirmed exploited one day after yesterday’s issue reported it was not yet exploited  ·  Cursor DuneSlide: two CVSS 9.8 sandbox escapes let a poisoned MCP response run commands with no user interaction  ·  Adobe emergency patches seven CVSS 10.0 flaws in ColdFusion and Campaign Classic  ·  CYBERSIP.NET  ·  ISSUE 77
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 77July 2, 2026cybersip.net
Issue No. 77  ·  July 2, 2026  ·  3 active items  ·  Under 5 min read
Today’s picture
Yesterday’s brief reported that Kemp LoadMaster CVE-2026-8037 had not yet been confirmed exploited despite a full public exploit chain. Overnight that changed. eSentire’s Threat Response Unit confirmed exploitation attempts against CVE-2026-8037 starting June 29, two days after watchTowr published its write-up and the same day the technical details went public. The window between public exploit and confirmed exploitation was roughly 72 hours. Cato AI Labs today disclosed DuneSlide, two CVSS 9.8 flaws in Cursor IDE that let a poisoned MCP server response or web search result run arbitrary shell commands on a developer’s machine with no user click required. Cursor 3.0 contains the fix, but the vendor initially rejected both reports before escalation reversed that decision. Adobe issued an emergency patch batch on June 30 covering seven CVSS 10.0 vulnerabilities across ColdFusion and Campaign Classic, assigning its highest Priority 1 rating to signal that exploitation is imminent even though no in-the-wild use has been confirmed.
Threat snapshot
3 active items · 2 monitoring
Kemp LoadMaster CVE-2026-8037 / now actively exploited / 72-hour window Cursor DuneSlide / CVSS 9.8 / zero-click MCP sandbox escape / patched in 3.0 Adobe ColdFusion / 7 CVSS 10.0 flaws / emergency patch / Priority 1 3 items this issue
Escalated TodayKemp LoadMasterNow Exploited
Kemp LoadMaster CVE-2026-8037 is now being actively exploited. eSentire confirmed exploitation attempts beginning June 29, the same day watchTowr published its write-up. Yesterday’s issue reported no confirmed exploitation. That changed overnight. Patch immediately and restrict API access.
The exploitation window was 72 hours from public technical write-up to confirmed attacks. LoadMaster sits at the network edge. A successful pre-auth root execution gives an attacker a position from which every internal server, application, and endpoint managed through LoadMaster is reachable without further exploitation. LoadMaster has now had two separate critical vulnerabilities exploited in the wild in under two years.
TodayCursor IDEPatched in 3.0
Cursor DuneSlide: two CVSS 9.8 flaws let a poisoned MCP server response or web search result run unsandboxed commands on a developer’s machine. No user click required. Used by more than half of the Fortune 500. Fix is in Cursor 3.0, released April 2.
CVE-2026-50548 abuses the sandbox’s working directory permission to overwrite the cursorsandbox helper binary itself, removing all sandbox restrictions for subsequent commands. CVE-2026-50549 exploits a symlink check fallback to write to arbitrary paths when path canonicalization fails. Cato says it is disclosing similar flaws in other AI coding agents.
June 30Adobe7x CVSS 10.0Patched
Adobe emergency patches seven CVSS 10.0 flaws in ColdFusion and Campaign Classic. Six in ColdFusion covering unrestricted file upload, improper input validation, and path traversal, all enabling unauthenticated RCE. One in Campaign Classic. Priority 1 rating, 72-hour patch window urged.
No in-the-wild exploitation confirmed, but Priority 1 means Adobe considers it imminent. ColdFusion has a well-documented history of rapid post-disclosure exploitation. Update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21. Block external access to /CFIDE/administrator regardless of patch status.
Detailed intelligence
Full analysis
01 Kemp LoadMaster Now Exploited
Kemp LoadMaster CVE-2026-8037 confirmed exploited, one day after yesterday’s issue reported it was not. Exploitation started June 29, within hours of the public watchTowr write-up. Patch is available. Restrict API access now.
CVE-2026-8037 · CVSS 9.8 · eSentire
eSentire’s Threat Response Unit published an advisory today confirming exploitation attempts against CVE-2026-8037 in Progress Kemp LoadMaster beginning June 29, 2026. That date is the same day watchTowr published its detailed technical write-up. Yesterday’s CyberSip issue correctly reported that no exploitation had been confirmed at the time of writing. The window between technical disclosure and active exploitation was approximately 72 hours.
Executive Impact
Any organization running Kemp LoadMaster with the API enabled should treat this as a confirmed active exploitation event, not a theoretical risk. Apply the available patch immediately. If patching cannot happen right now, restrict access to the LoadMaster API to trusted management networks and block external access to the /accessv2 endpoint at the network perimeter. LoadMaster at the network edge gives an attacker who achieves pre-auth root execution visibility and access to the traffic of every application managed through it, including the ability to intercept, modify, or redirect traffic for internal services.
Don’t Miss
The 72-hour window from watchTowr technical disclosure to confirmed exploitation is slightly faster than the three-week window seen with Cisco Unified CM CVE-2026-20230 in Issues 71 and 73, and faster than the six-week window for Oracle EBS CVE-2026-46817 in Issue 76. The compression is consistent with what this brief has documented across 2026: edge infrastructure vulnerabilities with public technical write-ups are moving from disclosure to exploitation faster than standard enterprise patch cycles can close. watchTowr’s blog post, titled “Enterprise Tech In, Shell Out,” noted explicitly that the previous critical LoadMaster flaw reached CISA KEV within weeks of its own disclosure. This one followed that pattern precisely. For any organization that was waiting to see whether CVE-2026-8037 would actually be exploited before treating it as urgent: the answer is now confirmed.
CyberSip Take
Yesterday this brief said: the previous LoadMaster critical flaw reached CISA KEV within weeks. The exploitation window has now closed from weeks to days. Any organization still waiting on scheduled maintenance to patch a network edge appliance that has a confirmed actively exploited critical flaw and a full public exploit should move this to emergency change control today.
What is new

eSentire’s Threat Response Unit published an advisory today confirming that its detection capabilities observed exploitation attempts against CVE-2026-8037 in Progress Kemp LoadMaster starting June 29, 2026. watchTowr Labs published its detailed technical write-up on June 29 as well, meaning that in-the-wild exploitation began on the same day that comprehensive public technical details became available.

CVE-2026-8037 is a pre-authentication OS command injection flaw in the LoadMaster API. The root cause, documented in detail by watchTowr, is a combination of uninitialized heap memory and a missing null terminator in the escape_quotes() function that is meant to sanitize user input before it is passed to a shell command. When an attacker sends a crafted request to the /accessv2 API endpoint, injected commands bypass the sanitization and execute on the appliance with root privileges. No authentication is required. The affected versions are GA v7.2.63.1 and earlier and LTSF v7.2.54.17 and earlier. Progress published its advisory and patch on June 4, 2026, 25 days before the exploitation activity began.

This is the second critical LoadMaster vulnerability to be actively exploited within the last two years. CVE-2024-1212, a previous LoadMaster command injection flaw rated CVSS 10.0, was added to the CISA Known Exploited Vulnerabilities catalog after confirmed exploitation in November 2024.

Recommended actions
Derived from The Hacker News and eSentire Threat Response Unit advisory on CVE-2026-8037 active exploitation, July 2, 2026.
02 Cursor DuneSlide Patched in 3.0
Cursor DuneSlide: two CVSS 9.8 sandbox escape flaws let a poisoned MCP response or web search result run arbitrary unsandboxed commands on a developer’s machine. No user interaction beyond issuing a normal prompt. Fix is in Cursor 3.0.
CVE-2026-50548 · CVE-2026-50549 · CVSS 9.8
Cato AI Labs today disclosed DuneSlide, two critical vulnerabilities in Cursor IDE named CVE-2026-50548 and CVE-2026-50549. Both are prompt injection flaws that escape Cursor’s terminal sandbox and reach classical code execution paths. The attack requires no user click, no approval dialog, and no malicious file download. A developer issuing a normal prompt that inadvertently causes Cursor’s agent to read attacker-controlled content from an MCP server or web search result is sufficient.
Executive Impact
Any organization with developers using Cursor IDE should ensure all installations are on version 3.0 or later. Cursor claims that more than half of Fortune 500 companies use the tool. All versions before 3.0 are affected by both flaws. The practical risk is that a developer working with Cursor connected to any MCP server, including standard integrations like Linear for project management, could have attacker-controlled content injected via a poisoned server response that then executes commands on their machine, accesses their cloud credentials, and moves to connected SaaS workspaces, without the developer ever doing anything unexpected.
Don’t Miss
The disclosure timeline reveals a significant vendor response problem. Cato AI Labs reported both vulnerabilities on February 19, 2026. On February 23, Cursor’s security team rejected both reports. The stated justification was that Cursor’s threat model does not account for MCP server misuse, even for standard, innocuous MCP integrations like the official Linear.app workspace. Cato escalated on February 26, at which point the Cursor security team reopened the cases and began triaging. Fixes shipped in Cursor 3.0 on April 2. The patch took over six weeks from initial report to ship. The initial rejection of vulnerabilities that Cato rated CVSS 9.8, because the vendor’s stated threat model excluded MCP server misuse as a vector, is exactly the kind of threat model gap this brief has documented across the broader AI coding tool ecosystem since Issue 63. A threat model that excludes MCP misuse in tools that integrate MCP by design is not a complete threat model.
CyberSip Take
DuneSlide is not a Cursor-specific finding. Cato states it is in the process of disclosing similar vulnerabilities in other AI coding agents, and that the problem is structural rather than a pair of isolated bugs. The sandbox Cursor introduced to limit agent damage was bypassed by manipulating the parameters the sandbox itself accepts. A sandbox that trusts the agent to tell it where to write is not an effective sandbox. The broader question for any team using AI coding tools with MCP integrations is whether those tools have an up-to-date threat model that includes the MCP attack surface, not just the prompt injection surface at the language model layer.
How DuneSlide works

Starting with the Cursor 2.x release line, Cursor runs terminal commands issued by its AI agent inside a sandbox designed to restrict what those commands can touch, preventing a rogue instruction from causing broad system damage. DuneSlide is named for the two techniques used to escape that sandbox through prompt injection.

CVE-2026-50548 exploits a configuration parameter. The Cursor sandbox permits write access to the working directory of any command it runs. That directory is specified by an optional parameter, working_directory, on Cursor’s run_terminal_cmd tool, and the value of that parameter is controlled by the AI agent rather than locked down by the sandbox. An attacker-controlled payload delivered via MCP server response or web search result instructs the agent to set working_directory to an arbitrary path outside the project, such as /Applications/Cursor.app/Contents/Resources/app/resources/helpers/cursorsandbox. The sandbox, seeing a write to the designated working directory, permits it. Overwriting cursorsandbox with attacker-controlled content removes sandbox restrictions for all subsequent commands in the session.

CVE-2026-50549 exploits a fallback in Cursor’s path validation logic. Before writing a file, Cursor attempts to resolve symlinks and verify the real target sits inside the project directory. When that verification fails, because the target does not exist or the attacker removes read access to a directory in the path, Cursor falls back to trusting the original, unvalidated symlink path. Injected instructions create a symlink inside the project pointing to an external target, then trigger the failure condition to bypass the validation and write to the external path.

Both flaws were patched in Cursor 3.0, released April 2, 2026. All versions before 3.0 are affected. Cato AI Labs confirmed that the attack is triggered with zero user interaction beyond issuing a normal development prompt that causes the agent to read attacker-controlled content.

Recommended actions
Derived from The Hacker News, CSO Online, and Cato AI Labs blog on DuneSlide CVE-2026-50548 and CVE-2026-50549, July 1–2, 2026.
03 Adobe 7x CVSS 10.0 Patched
Adobe emergency patches seven CVSS 10.0 flaws across ColdFusion and Campaign Classic. Six ColdFusion vulnerabilities allow unauthenticated RCE. One Campaign Classic flaw reaches arbitrary code execution. Priority 1 rating: patch within 72 hours.
APSB26-68 · 7 CVEs at CVSS 10.0 · June 30
Adobe published emergency security bulletin APSB26-68 on June 30, 2026, covering 11 vulnerabilities in ColdFusion 2025 and 2023, and a separate bulletin for Campaign Classic. Six of the ColdFusion vulnerabilities and the Campaign Classic flaw carry a CVSS score of 10.0. Adobe assigned Priority Rating 1 to both updates, its highest severity classification, indicating the company considers exploitation likely in the near term.
Executive Impact
Apply ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 without delay. Update Adobe Campaign Classic to build 9397. Adobe’s 72-hour patch recommendation for Priority 1 bulletins reflects the company’s own assessment that these flaws will be weaponized quickly. ColdFusion has a documented history of rapid post-disclosure exploitation: critical ColdFusion flaws in 2023 were actively exploited within days of patch release. The six CVSS 10.0 flaws all allow unauthenticated remote code execution, meaning any internet-facing ColdFusion server that has not applied Update 10 or 21 is currently exposed to a full compromise with no authentication barrier.
Don’t Miss
Adobe also announced today that starting July 14, 2026, the company will move from its monthly security bulletin cycle to a twice-monthly schedule. The stated reason is to reduce the time between vulnerability discovery and fix delivery. That change is directly relevant to how organizations should plan ColdFusion patching going forward: a patch that previously arrived on the last Tuesday of the month will now potentially arrive mid-month as well. Teams whose ColdFusion patch approval processes are tuned to monthly cycles should update their change management procedures before July 14. The change also means the exposure window for any newly discovered ColdFusion flaw will be shorter on average, which is a meaningful improvement given the platform’s history as a high-value exploitation target.
CyberSip Take
Seven CVSS 10.0 flaws in one bulletin, unauthenticated RCE across all of them, Priority 1 rating, and a platform with a documented history of rapid post-disclosure exploitation. Adobe’s 72-hour recommendation is not a suggestion. ColdFusion administrators should block external access to /CFIDE/administrator today, apply the update on a test instance, and get it into production before the weekend. The twice-monthly patch cadence starting July 14 is also a practical change that teams should prepare for now.
What was patched

Adobe published emergency security bulletin APSB26-68 on June 30, 2026 covering 11 vulnerabilities in Adobe ColdFusion 2025 and ColdFusion 2023. Six of the flaws carry the maximum CVSS score of 10.0. CVE-2026-48276 and CVE-2026-48283 are unrestricted file upload vulnerabilities that allow an unauthenticated attacker to upload and execute malicious files on the server. CVE-2026-48277, CVE-2026-48281, and CVE-2026-48316 are improper input validation flaws that each enable arbitrary code execution through malformed request handling. CVE-2026-48282 is a path traversal vulnerability that leads to arbitrary code execution. All six require no authentication and no user interaction.

Beyond the maximum-severity flaws, the bulletin also addresses CVE-2026-48313, a path traversal enabling arbitrary file system reads at CVSS 9.3, CVE-2026-48315 enabling privilege escalation at CVSS 9.3, CVE-2026-48307 a reflected XSS with code execution at CVSS 8.8, and CVE-2026-48285 an SSRF flaw enabling security feature bypass at CVSS 8.6. Fixes are in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. ColdFusion 2021 has reached end of life and receives no security updates.

A separate bulletin covers CVE-2026-48286 in Adobe Campaign Classic, an incorrect authorization vulnerability rated CVSS 10.0 enabling arbitrary code execution. The fix is in Campaign Classic v7.4.3 build 9397. Adobe has not confirmed in-the-wild exploitation of any of these flaws but assigned Priority Rating 1 across all bulletins, indicating imminent exploitation risk.

Recommended actions
Derived from SecurityWeek, The Hacker News, and Adobe security bulletin APSB26-68, June 30 and July 2, 2026.
Still watching
Aging items · days 2–4
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Oracle EBS CVE-2026-46817 CVSS 9.8 (Issue 76). Confirmed exploited June 27, before any public PoC. Apply Oracle May 2026 Critical Security Patch Update. Review logs for POST requests to /OA_HTML/ibytransmit. Third Oracle enterprise application exploitation in eight months. Day 2
libssh2 CVE-2026-55200 CVSS 9.2 (Issue 75). Public PoC available. No official patched release yet. Apply a build containing commit 97acf3d. Embedded in curl, Git, PHP, and appliances via static linking. Day 3
Cross-source standouts
01
The exploitation window for edge infrastructure vulnerabilities with public technical write-ups is now measured in hours, not weeks
This brief has documented the exploitation window across multiple high-profile vulnerabilities in 2026. Cisco Unified CM CVE-2026-20230 moved from public PoC to confirmed exploitation in three weeks. Oracle EBS CVE-2026-46817 was exploited six weeks after the patch shipped, with no public PoC. Kemp LoadMaster CVE-2026-8037 was exploited within 72 hours of watchTowr’s technical write-up, three days after a patch had been available for 25 days. The pattern is consistent: the publication of a detailed technical write-up with a working exploit accelerates exploitation dramatically compared to a patch release alone. For network edge infrastructure in particular, organizations should treat a watchTowr, Horizon3, or GreyNoise technical publication as a signal to move to emergency patching, not to wait for CISA KEV confirmation. By the time KEV confirmation arrives, exploitation has often been underway for days or weeks.
02
Cursor initially rejected both DuneSlide reports because MCP misuse was outside its threat model
Cato AI Labs reported both DuneSlide vulnerabilities on February 19. Cursor rejected both four days later, citing a threat model that does not account for MCP server misuse, including standard integrations like the official Linear.app connector. That reasoning means the vendor explicitly decided not to consider MCP as a potential attack vector for its sandbox, in a tool that integrates MCP by design and where the MCP surface is precisely what DuneSlide exploits. The rejection was later reversed after escalation, and the fix shipped in Cursor 3.0 on April 2. The broader observation is that the AI coding tool industry is still resolving whether MCP is part of the attack surface that security teams need to defend. The NCSC’s June 22 vibe coding warning from Issue 69 named the same problem from the defensive side: AI-generated and AI-assisted code is being deployed before security teams have fully mapped the attack surface it creates. The Cursor initial rejection and the DuneSlide disclosure both point to the same gap in an industry that is adding trust boundaries faster than it is auditing them.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.