CVE-2021-45912

Vulnerability

The ControlUp Real-Time Agent (cuAgent.exe) versions before 8.5 expose an unauthenticated Named Pipe channel. The ProcessActionRequest WCF method in this channel does not require authentication, allowing an attacker to invoke it and run arbitrary OS commands. This affects all endpoints running the agent prior to version 8.5 (8.5 for On-Premises, 8.5.1 for Hybrid Cloud) [2].

Exploitation

An attacker can interact with the Named Pipe from the network without any prior authentication. The attacker sends a crafted WCF message to the ProcessActionRequest method, which then executes supplied commands with the privileges of the agent process (typically SYSTEM). No user interaction is required.

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands with high privileges, leading to full compromise of the endpoint. This can result in data theft, installation of malware, or lateral movement within the network.

Mitigation

The vulnerability is fixed in ControlUp Real-Time Agent version 8.5 (On-Premises) and 8.5.1 (Hybrid Cloud). ControlUp strongly urges upgrading all agents immediately, even if no longer in use [2]. No workarounds are available; patching is required.