CVE-2021-45913
📋 TL;DR
ControlUp Real-Time Agent versions before 8.2.5 contain a hardcoded cryptographic key that allows attackers to authenticate to the WCF channel and execute arbitrary operating system commands. This affects organizations using ControlUp for IT monitoring and management. Attackers can achieve remote code execution with the privileges of the cuAgent.exe service.
💻 Affected Systems
- ControlUp Real-Time Agent
📦 What is this software?
Controlup Agent by Controlup
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with elevated privileges, install malware, steal credentials, and move laterally through the network.
Likely Case
Attackers gain initial foothold on affected systems, potentially leading to data exfiltration, ransomware deployment, or persistent backdoor installation.
If Mitigated
Limited impact due to network segmentation, proper access controls, and monitoring that detects unusual WCF channel activity.
🎯 Exploit Status
Exploitation requires network access to the WCF endpoint (default TCP port 80 or 443). The hardcoded key bypasses authentication entirely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.5 and later
Vendor Advisory: https://www.controlup.com/security/security-advisory-hardcoded-key/
Restart Required: Yes
Instructions:
1. Download ControlUp Real-Time Agent version 8.2.5 or later from ControlUp portal. 2. Run the installer on affected systems. 3. Restart the cuAgent service or reboot the system.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to ControlUp Agent WCF endpoints (typically TCP 80/443) to trusted management systems only.
Use Windows Firewall: netsh advfirewall firewall add rule name="Block ControlUp WCF" dir=in action=block protocol=TCP localport=80,443 remoteip=!TRUSTED_IP_RANGES
Service Account Hardening
windowsRun cuAgent.exe service under a least-privilege service account instead of SYSTEM/LocalService.
sc config cuAgent obj="DOMAIN\ServiceAccount" password="Password123"
sc stop cuAgent
sc start cuAgent
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ControlUp agents from untrusted networks.
- Deploy application allowlisting to prevent execution of unauthorized binaries even if command execution is achieved.
🔍 How to Verify
Check if Vulnerable:
Check ControlUp Agent version: Open ControlUp Console, navigate to monitored systems, check agent version. Versions below 8.2.5 are vulnerable.Check Version:
powershell Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*ControlUp*"} | Select-Object Name, VersionVerify Fix Applied:
Verify agent version is 8.2.5 or higher in ControlUp Console. Test WCF authentication by attempting to connect with old hardcoded key (should fail).📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Unexpected process creation from cuAgent.exe parent
- Application logs: Failed authentication attempts to WCF channel using hardcoded key patterns
Network Indicators:
- Unusual network connections to cuAgent WCF endpoints from non-management systems
- Traffic patterns indicating command execution via WCF
SIEM Query:
source="windows" AND (process_name="cuAgent.exe" AND parent_process!="services.exe") OR (destination_port="80,443" AND destination_ip="CONTROLUP_AGENT_IPS" AND source_ip!="TRUSTED_MGMT_IPS")