// For flags

CVE-2022-24082

Pega Platform 8.1.0 - Remote Code Execution (RCE)

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.

Si una instalación local de Pega Platform está configurada con el puerto de la interfaz JMX expuesto a Internet y el filtrado de puertos no está configurado apropiadamente, puede ser posible cargar cargas útiles serializadas para atacar el sistema subyacente. Esto no afecta a sistemas que son ejecutados en PegaCloud debido a su diseño y arquitectura.

Pega Platform versions 8.1.0 through 8.7.3 suffer from a remote code execution vulnerability. If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the underlying system. This does not affect systems running on PegaCloud due to its design and architecture.

*Credits: Marcin Wolak, Rabobank Red Team
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-27 CVE Reserved
  • 2022-07-19 CVE Published
  • 2023-03-28 First Exploit
  • 2024-08-03 CVE Updated
  • 2024-10-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Pega
Search vendor "Pega"
Infinity
Search vendor "Pega" for product "Infinity"
>= 8.1.0 < 8.7.3
Search vendor "Pega" for product "Infinity" and version " >= 8.1.0 < 8.7.3"
-
Affected