cbcvebase.
CVE-2021-3122
published 2021-02-07

CVE-2021-3122: CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089)…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.38%
99.7th percentile
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."

Affected

1 ranges
VendorProductVersion rangeFixed in
ncrcommand_center_agent

Detection & IOCsextracted from sources · hover to see the quote

port8089
hash9b8cc45f061565f00f9aab34e6fbcec6fae4633f
hash7c7c8ef5877f01011438410a4075e92731c7c51a
hash2d9b601d09bc1e49c94b316263f96d6ee6e57c54
hash7899092e973b38988aa472dabf20314f00399233
hashb1983db46e0cb4687e4c55b64c4d8d53551877fa
hash1df323c48c8ce95a80d1e3b9c368c7d7eaf395fc
hasha3c81c9e3d92c5007ac2ef75451fe007721189c6
hashbf6291d67a21c6cef919c8cc3e485b93daf8d71f
hash3688ab0e31a2f2a8a2adeb934c1a10738ec0f2d6
hash0894872f398e19051f5a6be1a50c44943e9635e8
hashdc11a846e090094fc82d0cc6ca8914d09113658e
hash4c5cc3ec6866a2054eb47820b35ad8a7d8982cd2
hash4dfde37e5ff0a4b189f0c644b19b20fa63c41fe1
hash282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
hash835c84dba74fdd2564806daf68958d22feaa2225
hasha067833f67d829241703c9f488d5834c84b096fe
hashcfe8c611e1a475a60f181005606d4094d1dad8e3
hasheea0c3febedd84a0c2d69dfb1fb5a077ca8d320b
hashcb3550ca012a39fbf48ad26f3b2bb1d4f8657b2e
hash43299c2cdc2a0290de05b01ec6d04160bfcef99f
domainncr-aloha[.]net
domainsupport.ncr-aloha[.]net
domainnesinoder[.]com
domainSupport.nesinoder[.]com
domaindata-wire[.]net
ip185.41.65[.]211
ip5.34.183[.]20
ip130.0.237[.]133
ip47.90.58[.]130
ip185.56.80[.]118
ip62.20.60[.]242
port1888
othermynodename
other<cmcsys
bytes
1runCommand00InProgressnslookup {{interactsh-url}}00000000-0000-0000-0000-000000000001WebServer
  • Detect exploitation attempts by monitoring for inbound TCP connections to port 8089 on Aloha BOH/POS servers, particularly from external/untrusted IP addresses connecting to cmcAgent.exe
  • Alert on cmcAgent.exe spawning child processes such as cmd.exe or powershell.exe, which indicates successful RCE via the runCommand XML parameter
  • Hunt for the CMCAgent banner response containing 'mynodename' / 'myNodeName' in Shodan/FOFA to identify publicly exposed vulnerable instances
  • Monitor for network traffic from Aloha BOH servers to C2 domain support-ncr-aloha[.]net or support[.]nesinoder[.]com, used by the threat actor's ScreenConnect RMM tool
  • Detect malware exfiltrating scraped credit card data over port 1888 from POS terminals to the BOH server
  • Look for suspicious file writes to c:\windows\temp by cmcAgent.exe, which may indicate post-exploitation staging activity
  • Nuclei detection: match TCP responses on port 8089 containing both '<cmcsys' and 'myNodeName' to confirm a vulnerable CMCAgent instance

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.