This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Iron Mountain Connected Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Agent service that listens by default on TCP port 16388. When dealing with a request containing the opcode 13, the java process instantiates an instance of a class called LaunchCompoundFileAnalyzer. This class passes user-controlled data directly to System.getRunTime.exec. This can be abused to execute remote code on the agent process under the context of the user running the software.