Pega CVE-2021-27653, March 2021

It’s funny how companies try to play down issues. Well, this is a 9.8 CRITICAL, yet listed as a MEDIUM. This was used to breach FORD, and the POC was given a 90 day hold for release, so, once the POC drops the world will see what this does.

Pega originally didn’t appear to even want to issue a CVE, and I did some research that included speaking with other researchers about Pega, and it seems to be a standard thing for them to play down their issues and/or try to sweep them under the rug — from what I’ve heard and seen actual proof of (sources will be kept confidential). So, we will see how it goes.

You can get more information on the CVE by going to, although this is just the tip of the iceberg.

This was initially worked on by me and my friend break3r, we breached FORD with it, then I brought it to my hacker crew SAKURA SAMURAI for further research and more findings. The full team included me, break3r, John Jackson, Aubrey Cottle, and Jackson Henry.

By Robert Willis (rej_ex)

I'm an infosec, cybersecurity professional who enjoys continuously learning and hacking. I also collect and make comics books. I role with my crew -- Sakura Samurai. Follow me on Twitter @rej_ex.

Leave a comment

Your email address will not be published. Required fields are marked *