CVE-2021-27651

CRITICAL NUCLEI

Pega Infinity 8.2.1-8.5.2 - Authentication Bypass via Password Reset

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-27651. PoCs published by samwcyo, Vulnmachines, orangmuda. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2021-27651, an authentication bypass vulnerability in Pega Infinity. It includes steps to reproduce the exploit, affected versions, and a Nuclei template for detection.

Description

In versions 8.2.1 through 8.5.2 of Pega Infinity, the password reset functionality for local accounts can be used to bypass local authentication checks.

Exploits (3)

nomisec WRITEUP 60 stars

by samwcyo · poc

https://github.com/samwcyo/CVE-2021-27651-PoC

View Code ZIP pw:eip

This repository provides a detailed technical writeup for CVE-2021-27651, an authentication bypass vulnerability in Pega Infinity. It includes steps to reproduce the exploit, affected versions, and a Nuclei template for detection.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Pega Infinity >= 8.2.1 and <= 8.5.2

No auth needed

Prerequisites: Access to the login page of a Pega instance

MITRE ATT&CK

T1110 - Brute Force T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 2 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/CVE-2021-27651

View Code ZIP pw:eip

This repository contains a README file describing CVE-2021-27651, a vulnerability in Pega Infinity related to password reset functionality. It includes references to a video demonstration and social media links but lacks actual exploit code or technical details.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Theoretical

Target: Pega Infinity

No auth needed

Prerequisites: Access to the Pega Infinity password reset functionality

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by orangmuda · poc

https://github.com/orangmuda/CVE-2021-27651

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in Pega Infinity, allowing an attacker to reset any user's password without confirmation. It includes steps to exploit the flaw and achieve remote code execution post-authentication.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Pega Infinity >= 8.2.1 and <= 8.5.2

No auth needed

Prerequisites: Access to the Pega Infinity login page · Victim's email address

MITRE ATT&CK

T1078 - Valid Accounts T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Pega Infinity - Authentication Bypass

CRITICALby idealphase,daffainfo

References (1)

Core 1

Core References

Release Notes, Vendor Advisory x_refsource_confirm

https://collaborate.pega.com/discussion/pega-security-advisory-a21-hotfix-matrix

Scores

CVSS v3 9.8

EPSS 0.5384

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (1)

pega/infinity 8.2.1 - 8.5.2

Published Apr 29, 2021

Tracked Since Feb 18, 2026