Security researchers have recently found a critical security vulnerability in the Pega Infinity software which could be exploited to severely compromise the software.

Pega Infinity is an enterprise software suite, with over 2,000 users. The package includes customer service and sales automation, an AI-driven ‘customer decision hub’, workforce intelligence, and a ‘no-code’ development platform.

Some of its big-list customers include the FBI, US Air Force, Apple, American Express, and others.

Critical Bypass Vulnerability in Pega Infinity:

Tracked as CVE-2021-27651,  the vulnerability has been characterized as a critical severity vulnerability in the Pega Infinity software versions  8.2.1 to 8.5.2.

Successful exploitation of the vulnerability could facilitate a malicious actor to bypass the password reset framework of the software.

Also read,

Digging the bug:

According to security researchers Sam Curry, Justin Rhinehart, Brett Buerhaus, and Maik Robert,  threat actors can fully compromise the Pega instance using malicious techniques like remote code execution, including the alteration of dynamic pages or templates.

The researchers, when asked to detail the vulnerability,  said that they stumbled upon the bug while participating in Apple’s Bug Bounty program.

Vulnerability finder tool Burp Suite was utilized by the researchers to detect the password reset flaw.

It was found that a full compromise could be executed of any Pega instance with no prior information.

“These systems are largely public-facing and aren’t necessarily designed to be run internally, so at the time of reporting there was a large number of affected customers running Pega Infinity externally,” experts explained.

Security hotfix deployed:

The security experts have worked in coordination with the software organization to deploy a hotfix for the critical software vulnerability. 

The software vendor recommends that users running the Pega Infinity software on-premises should check if their version is affected and apply the relevant hotfix as soon as possible to mitigate any cybersecurity hazards.