CVE-2021-3122: OS Command Injection
First published: Sun Feb 07 2021(Updated: )
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| NCR Command Center Agent | =16.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-3122?
CVE-2021-3122 is rated as critical due to its potential for remote, unauthenticated command execution as the SYSTEM user.
How do I fix CVE-2021-3122?
To remediate CVE-2021-3122, upgrade NCR Command Center Agent to a version later than 16.3 that addresses this vulnerability.
What is affected by CVE-2021-3122?
CVE-2021-3122 affects NCR Command Center Agent version 16.3 installed on Aloha POS/BOH servers.
Can CVE-2021-3122 be exploited remotely?
Yes, CVE-2021-3122 can be exploited remotely without authentication, allowing attackers to execute arbitrary commands.
What are the potential impacts of CVE-2021-3122?
The impact of CVE-2021-3122 includes unauthorized system access and execution of malicious commands, which can lead to data breaches.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- vendor/ncr
- canonical/ncr command center agent
- version/ncr command center agent/16.3