CVE-2021-3122

CRITICAL EXPLOITED IN THE WILD NUCLEI

NCR Command Center Agent 16.3 - Unauthenticated Remote Code Execution via runCommand Parameter

Title source: llm

Exploitation Summary

CVE-2021-3122 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including acquiredsecurity, daffainfo (Muhammad Daffa), jjcho (Jericho Nathanael Chrisnanta), including a Metasploit module exploits/windows/misc/ncr_cmcagent_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a link to a blog post detailing the discovery of CVE-2021-3122, a vulnerability in NCR AlohaPOS. The blog post includes technical analysis and context on how the vulnerability was exploited in the wild.

Description

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."

Exploits (2)

nomisec WRITEUP 4 stars

by acquiredsecurity · poc

https://github.com/acquiredsecurity/CVE-2021-3122-Details

View Code ZIP pw:eip

This repository provides a link to a blog post detailing the discovery of CVE-2021-3122, a vulnerability in NCR AlohaPOS. The blog post includes technical analysis and context on how the vulnerability was exploited in the wild.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: NCR AlohaPOS

No auth needed

Prerequisites: Access to the blog post for detailed technical analysis

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

by daffainfo (Muhammad Daffa), jjcho (Jericho Nathanael Chrisnanta) · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ncr_cmcagent_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-3122, a remote code execution vulnerability in NCR Command Center Agent 16.3. It sends a crafted XML payload to port 8089, allowing unauthenticated command execution as SYSTEM.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NCR Command Center Agent 16.3

No auth needed

Prerequisites: Network access to port 8089 on the target system

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

NCR Command Center Agent 16.3 - Remote Command Execution

CRITICALVERIFIEDby daffainfo,jjcho

Shodan: mynodename

FOFA: mynodename

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://rdf2.alohaenterprise.com/client/CMCInst.zip

Third Party Advisory x_refsource_misc

https://www.tetradefense.com/incident-response-services/active-exploit-a-remote-code-execution-rce-vulnerability-for-ncr-aloha-point-of-sale/

Third Party Advisory x_refsource_misc

https://github.com/roughb8722/CVE-2021-3122-Details/blob/main/CVE-2021-3122

View Writeup ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.8738

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-02-07

InTheWild.io 2021-02-09

CWE

CWE-78

Status published

Products (1)

ncr/command_center_agent 16.3

Published Feb 07, 2021

Tracked Since Feb 18, 2026