James Burton

**Name of the Vulnerable Software and Affected Versions** Controlup Real-Time Agent versions prior to 8.5 **Description** The issue concerns an unauthenticated Named Pipe channel in the Controlup Real-Time Agent, potentially allowing an attacker to run OS commands via the `ProcessActionRequest` WCF method. **Recommendations** For versions prior to 8.5, update to version 8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Named Pipe channel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ControlUp Real-Time Agent versions prior to 8.2.5 **Description** A hardcoded key in the ControlUp Real-Time Agent may allow a potential attacker to run OS commands via a WCF channel. **Recommendations** For versions prior to 8.2.5, update to version 8.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the WCF channel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Novell ZENworks Configuration Management (ZCM) versions 10.3 through 11.2 before 11.2.4 **Description** The issue concerns the web server in Novell ZENworks Configuration Management, which fails to properly authenticate requests to the "zenworks/jsp/index.jsp" endpoint. This allows remote attackers to perform directory traversal attacks, upload, and execute arbitrary programs by sending a request to TCP port 443. **Recommendations** For versions 10.3 through 11.2 before 11.2.4, update to version 11.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "zenworks/jsp/index.jsp" endpoint until a patch is available.