Rapid7

module

NCR Command Center Agent Remote Code Execution

Try Surface Command
Back to search
Disclosed
Feb 7, 2021
Created
Oct 30, 2025

Description

CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter
(within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command
as SYSTEM, as exploited in the wild in 2020 and/or 2021. The vendor's position is that exploitation occurs only
on devices with a certain "misconfiguration."

Authors

daffainfo (Muhammad Daffa)
jjcho (Jericho Nathanael Chrisnanta)

Platform

Windows

Architectures

x64, x86

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/misc/ncr_cmcagent_rce
    msf exploit(ncr_cmcagent_rce) > show targets
        ...targets...
    msf exploit(ncr_cmcagent_rce) > set TARGET < target-id >
    msf exploit(ncr_cmcagent_rce) > show options
        ...show and set options...
    msf exploit(ncr_cmcagent_rce) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report