CVE-2021-3122

CRITICAL EXPLOITED IN THE WILD NUCLEI

NCR Command Center Agent - OS Command Injection

Title source: rule

Description

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."

Exploits (2)

nomisec WRITEUP 4 stars

by acquiredsecurity · poc

https://github.com/acquiredsecurity/CVE-2021-3122-Details

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by daffainfo (Muhammad Daffa), jjcho (Jericho Nathanael Chrisnanta) · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ncr_cmcagent_rce.rb

View Code ZIP pw:eip

Nuclei Templates (1)

NCR Command Center Agent 16.3 - Remote Command Execution

CRITICALVERIFIEDby daffainfo,jjcho

Shodan: mynodename

FOFA: mynodename

References (3)

[Third Party Advisory] https://github.com/roughb8722/CVE-2021-3122-Details/blob/main/CVE-2021-3122

[Third Party Advisory] https://rdf2.alohaenterprise.com/client/CMCInst.zip

[Third Party Advisory] https://www.tetradefense.com/incident-response-services/active-exploit-a-remote-code-execution-rce-vulnerability-for-ncr-aloha-point-of-sale/

Scores

CVSS v3 9.8

EPSS 0.9036

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-02-07

InTheWild.io 2021-02-09

CWE

CWE-78

Status published

Products (1)

ncr/command_center_agent 16.3

Published Feb 07, 2021

Tracked Since Feb 18, 2026