Kyle Pagelow

**Name of the Vulnerable Software and Affected Versions** NCR Command Center Agent version 16.3 **Description** The CMCAgent component in NCR Command Center Agent version 16.3, used on Aloha POS/BOH servers, allows for the submission of a `runCommand` parameter within an XML document sent to port 8089. This enables remote, unauthenticated execution of arbitrary commands as SYSTEM. This issue was exploited in real-world attacks during 2020 and 2021, and has been linked to credit card theft incidents. The vendor states that exploitation requires a specific "misconfiguration." The vulnerable component accepts commands via the ''/'' API endpoint on port 8089. The `runCommand` parameter is submitted within an XML document. **Recommendations** Versions prior to 16.3 are potentially affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.