CVE-2020-8884

Vulnerability

The Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) before version 7.9 contains a vulnerability in the endpoint service rcdsvc. Improper deserialization over named pipes allows remote authenticated users with valid Windows credentials to trigger arbitrary code execution. All versions between 7.4 and 7.8.2 are affected [2].

Exploitation

An attacker must have remote access to the Windows system and valid Windows credentials. No user interaction is required; the attacker sends a crafted serialized object over the named pipe to the rcdsvc service, which then deserializes it unsafely. The CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [2].

Impact

Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges, enabling full control over the compromised Windows endpoint. This includes reading, modifying, or deleting sensitive data, installing programs, or creating new accounts [2].

Mitigation

Proofpoint released fixes in versions 7.4.2, 7.5.3, 7.6.4, 7.7.4, 7.8.3, and 7.9. Affected customers should upgrade to one of these patched versions via the customer support portal. No workaround is documented. The vulnerability does not affect Mac or Linux agents [2].