CVE-2021-3122

Name of the Vulnerable Software and Affected Versions NCR Command Center Agent version 16.3

Description The CMCAgent component in NCR Command Center Agent version 16.3, used on Aloha POS/BOH servers, allows for the submission of a runCommand parameter within an XML document sent to port 8089. This enables remote, unauthenticated execution of arbitrary commands as SYSTEM. This issue was exploited in real-world attacks during 2020 and 2021, and has been linked to credit card theft incidents. The vendor states that exploitation requires a specific "misconfiguration." The vulnerable component accepts commands via the ''/'' API endpoint on port 8089. The runCommand parameter is submitted within an XML document.

Recommendations Versions prior to 16.3 are potentially affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.