Vulnerability Description
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ncr | Command Center Agent | 16.3 |
Related Weaknesses (CWE)
References
- https://github.com/roughb8722/CVE-2021-3122-Details/blob/main/CVE-2021-3122Third Party Advisory
- https://rdf2.alohaenterprise.com/client/CMCInst.zipThird Party Advisory
- https://www.tetradefense.com/incident-response-services/active-exploit-a-remote-Third Party Advisory
- https://github.com/roughb8722/CVE-2021-3122-Details/blob/main/CVE-2021-3122Third Party Advisory
- https://rdf2.alohaenterprise.com/client/CMCInst.zipThird Party Advisory
- https://www.tetradefense.com/incident-response-services/active-exploit-a-remote-Third Party Advisory
FAQ
What is CVE-2021-3122?
CVE-2021-3122 is a vulnerability with a CVSS score of 9.8 (CRITICAL). CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated ...
How severe is CVE-2021-3122?
CVE-2021-3122 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-3122?
Check the references section above for vendor advisories and patch information. Affected products include: Ncr Command Center Agent.