CVE-2021-45913

Vulnerability

The ControlUp Real-Time Agent (cuAgent.exe) prior to version 8.2.5 contains a hardcoded cryptographic key used for authentication over a Windows Communication Foundation (WCF) channel. This key is embedded in the binary and can be extracted, allowing an attacker to impersonate the agent and send arbitrary commands to the service. The vulnerability exists in all versions before 8.2.5.

Exploitation

An attacker with network access to the WCF endpoint can extract the hardcoded key from the agent binary. Using this key, the attacker can authenticate to the WCF service and send crafted messages that trigger execution of arbitrary OS commands. No prior authentication or user interaction is required; the attacker only needs network connectivity to the target agent.

Impact

Successful exploitation results in remote code execution with the privileges of the agent process, typically running as SYSTEM. This gives the attacker full control over the affected endpoint, including the ability to install programs, view/change data, and create new accounts. The compromise is complete and can be used as a pivot point for lateral movement within the network.

Mitigation

ControlUp has released fixed versions: upgrade to ControlUp Real-Time Agent version 8.5.1 for Hybrid Cloud or 8.5 for On-Premises [2]. All agents, even those no longer in use, should be updated to eliminate the risk. No workaround is available; the only mitigation is to apply the patch.