The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-3122

CVE-2021-3122: NCR Command Center Agent RCE Vulnerability

CVE-2021-3122 is a remote code execution vulnerability in NCR Command Center Agent 16.3 that allows unauthenticated attackers to execute arbitrary commands as SYSTEM. This article covers technical details, affected systems, and mitigations.

Published: February 25, 2026

CVE-2021-3122 Overview

CVE-2021-3122 is a critical remote code execution (RCE) vulnerability affecting the CMCAgent component in NCR Command Center Agent 16.3 deployed on Aloha POS/BOH servers. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges by submitting a specially crafted runCommand parameter within an XML document to port 8089. This vulnerability has been reported as actively exploited in the wild during 2020 and/or 2021, making it a significant threat to retail and hospitality environments utilizing NCR Aloha point-of-sale systems.

Critical Impact

Unauthenticated remote attackers can achieve complete system compromise with SYSTEM-level privileges on vulnerable POS/BOH servers, potentially enabling theft of payment card data, lateral movement within retail networks, and deployment of malware or ransomware.

Affected Products

  • NCR Command Center Agent 16.3
  • Aloha POS/BOH Servers running CMCAgent
  • Systems with CMCAgent listening on port 8089

Discovery Timeline

  • 2021-02-07 - CVE-2021-3122 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-3122

Vulnerability Analysis

This vulnerability exists in the CMCAgent service, which is part of the NCR Command Center Agent software used to manage Aloha point-of-sale systems. The CMCAgent service listens on TCP port 8089 and accepts XML-formatted commands for remote management purposes. The vulnerability stems from improper input validation and lack of authentication controls when processing incoming XML requests containing the runCommand parameter.

When the CMCAgent receives a malicious XML document containing the runCommand element, it executes the specified command directly on the underlying operating system without verifying the identity or authorization of the requester. Because the CMCAgent service runs with elevated privileges, any command executed through this mechanism inherits SYSTEM-level permissions, providing attackers with complete control over the compromised host.

The vulnerability is classified as CWE-78 (OS Command Injection), indicating that user-controllable input is passed directly to system command execution functions without proper sanitization or validation.

Root Cause

The root cause of CVE-2021-3122 is the combination of missing authentication on the CMCAgent network service and insufficient input validation when processing the runCommand parameter in XML requests. The CMCAgent was designed to accept remote management commands but fails to implement proper access controls or command filtering, allowing any network-accessible attacker to submit arbitrary operating system commands.

NCR has noted that exploitation occurs on devices with a certain "misconfiguration," suggesting that proper network segmentation or firewall rules should prevent external access to port 8089. However, in environments where this port is exposed—either intentionally or through misconfiguration—the vulnerability is trivially exploitable.

Attack Vector

The attack vector is network-based, requiring only TCP connectivity to port 8089 on the target system. An attacker crafts an XML document containing a malicious runCommand parameter and sends it to the CMCAgent service. The service parses the XML, extracts the command string, and executes it with SYSTEM privileges.

The attack requires no authentication credentials, no user interaction, and can be performed remotely from any network location with access to the vulnerable port. This makes the vulnerability particularly dangerous in environments where POS systems may be accessible from untrusted networks or where internal network segmentation is inadequate.

Typical exploitation scenarios include:

  • Attackers scanning for exposed port 8089 on internet-facing systems
  • Lateral movement within compromised networks to reach POS infrastructure
  • Insider threats with access to the POS network segment

The exploitation mechanism involves sending an XML payload to the CMCAgent service with a runCommand element containing the attacker's desired command. For detailed technical information, refer to the GitHub CVE-2021-3122 Details or the Tetra Defense RCE Vulnerability Analysis.

Detection Methods for CVE-2021-3122

Indicators of Compromise

  • Unexpected network connections to TCP port 8089 from unauthorized IP addresses
  • Suspicious process execution chains originating from the CMCAgent service
  • XML payloads containing runCommand parameters in network traffic logs
  • Unusual SYSTEM-level processes spawned on POS/BOH servers
  • Evidence of command execution artifacts such as new user accounts, scheduled tasks, or dropped files

Detection Strategies

  • Deploy network intrusion detection rules to identify XML traffic to port 8089 containing runCommand elements
  • Monitor CMCAgent process activity for child processes that deviate from expected behavior
  • Implement endpoint detection and response (EDR) solutions to detect command injection patterns
  • Analyze Windows Security Event Logs for process creation events (Event ID 4688) with suspicious command lines spawned by CMCAgent

Monitoring Recommendations

  • Configure firewall logging to track all traffic to/from port 8089 on POS systems
  • Establish baseline behavior for CMCAgent and alert on deviations
  • Implement SIEM correlation rules to detect potential exploitation attempts
  • Regularly audit network segmentation to ensure POS systems are isolated from untrusted networks

How to Mitigate CVE-2021-3122

Immediate Actions Required

  • Block external access to TCP port 8089 using host-based and network firewalls immediately
  • Implement network segmentation to isolate POS/BOH servers from untrusted network segments
  • Audit systems for signs of compromise if port 8089 was previously exposed
  • Contact NCR support to obtain guidance on secure configuration and available patches
  • Deploy intrusion prevention systems to block known exploitation patterns

Patch Information

Organizations should contact NCR directly for official patch information and secure configuration guidance. The vendor has indicated that proper configuration can prevent exploitation. Review the Tetra Defense RCE Vulnerability Analysis for additional remediation context. The Aloha Enterprise Client may contain updated software components.

Workarounds

  • Restrict access to port 8089 to only authorized management systems using firewall rules
  • Implement application-layer firewalls or web application firewalls (WAF) to inspect and filter XML traffic
  • Disable the CMCAgent service entirely if remote management functionality is not required
  • Use VPN or encrypted tunnels for any necessary remote management access to POS systems
bash
# Windows Firewall rule to block port 8089 from unauthorized networks
netsh advfirewall firewall add rule name="Block CMCAgent External Access" dir=in action=block protocol=TCP localport=8089 remoteip=any

# Allow only authorized management subnet (example: 10.0.100.0/24)
netsh advfirewall firewall add rule name="Allow CMCAgent Management" dir=in action=allow protocol=TCP localport=8089 remoteip=10.0.100.0/24

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechNcr Command Center Agent
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability87.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-78
  • Technical References
  • GitHub CVE-2021-3122 Details
  • Aloha Enterprise Client ZIP
  • Tetra Defense RCE Vulnerability Analysis
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English