Ford Breach, August 2021 Disclosure


A CVE in Pega CMS was found while researching on Ford’s VDP program. The vulnerability was initially identified by myself (@rej_ex) and break3r (@1337break3r). Subsequently, Sakura Samurai (@sakurasamuraii) members were brought in to participate in the research and the severity was escalated.

Aubrey Cottle (@Kirtaner), Jackson Henry (@JacksonHHax), and John Jackson (@johnjhacking) were the additional participating members.


The impact was large in scale. Attackers could use the vulnerabilities identified in the broken access control and obtain troves of sensitive records, perform account takeovers, and obtain a substantial amount of data.

O-Auth Access Tokens
Database Tables

During the research, a lack of access control in Pega services was noticed, which allowed for information disclosure — which included PII. Data retrieved included employee email addresses and information, O-Auth Access Tokens, finance account numbers, tickets within the work queue, user profiles within the organization, pulse actions, database tables and names, specific ticketing information and search bar history, internal interfaces, etc.

Accounts/Account Type/E-mail Addresses
Groups, Member Information
Ticket System
Change Management Access


The vulnerability was accepted and labeled as CVE-2021-27653 on April 1st, 2021. You can see more information on the CVE here.

By Robert Willis (rej_ex)

I'm an infosec, cybersecurity professional who enjoys continuously learning and hacking. I also collect and make comics books. I role with my crew -- Sakura Samurai. Follow me on Twitter @rej_ex.

Leave a comment

Your email address will not be published. Required fields are marked *