CVE-2023-26466
📋 TL;DR
This vulnerability allows non-admin users to modify client configuration files to change the server URL, potentially redirecting communications to malicious servers. It affects Pega Robotics and Workforce Intelligence clients where users have local file system access.
💻 Affected Systems
- Pega Robotics
- Pega Workforce Intelligence
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect all client-server communications to a malicious server, enabling man-in-the-middle attacks, credential theft, and complete compromise of robotic process automation workflows.
Likely Case
Malicious insiders or compromised user accounts could redirect specific automation workflows to attacker-controlled servers to intercept sensitive data or manipulate business processes.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated incidents that can be quickly detected and contained.
🎯 Exploit Status
Exploitation requires standard user access to modify configuration files. No special tools or advanced skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: B23 security update
Vendor Advisory: https://support.pega.com/support-doc/pega-security-advisory-b23-robotics-and-workforce-intelligence-local-privilege
Restart Required: Yes
Instructions:
1. Download the B23 security update from Pega support portal. 2. Apply the update to all affected Pega Robotics and Workforce Intelligence clients. 3. Restart all updated clients. 4. Verify configuration file permissions are properly restricted.
🔧 Temporary Workarounds
Restrict Configuration File Permissions
windowsRemove write permissions from configuration files for non-admin users
icacls "C:\Program Files\Pega\Robotics\config.xml" /deny Users:(W)
icacls "C:\Program Files\Pega\Workforce Intelligence\config.xml" /deny Users:(W)
Implement Application Whitelisting
windowsPrevent unauthorized modification of configuration files using application control
🧯 If You Can't Patch
- Implement strict file system permissions on all configuration files to prevent non-admin writes
- Monitor for unauthorized configuration changes using file integrity monitoring tools
🔍 How to Verify
Check if Vulnerable:
Check if configuration files in Pega installation directories have write permissions for non-admin usersCheck Version:
Check Pega client version in Help > About or review installed programs listVerify Fix Applied:
Verify configuration files are now read-only for standard users and check that B23 update is installed📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modification events on Pega configuration files
- Unexpected server connection attempts from clients
Network Indicators:
- Clients connecting to non-standard or unexpected server URLs
- SSL/TLS certificate mismatches for Pega server connections
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Pega%config.xml' AND Accesses='WriteData'