It’s funny how companies try to play down issues. Well, this is a 9.8 CRITICAL, yet listed as a MEDIUM. This was used to breach FORD, and the POC was given a 90 day hold for release, so, once the POC drops the world will see what this does.
Pega originally didn’t appear to even want to issue a CVE, and I did some research that included speaking with other researchers about Pega, and it seems to be a standard thing for them to play down their issues and/or try to sweep them under the rug — from what I’ve heard and seen actual proof of (sources will be kept confidential). So, we will see how it goes.
You can get more information on the CVE by going to https://cve.report/CVE-2021-27653, although this is just the tip of the iceberg.
This was initially worked on by me and my friend break3r, we breached FORD with it, then I brought it to my hacker crew SAKURA SAMURAI for further research and more findings. The full team included me, break3r, John Jackson, Aubrey Cottle, and Jackson Henry.