Insider Threat Management Windows Agent Remote Code Execution Vulnerability,
Advisory ID: PFPT-SA-2020-0002
The Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) prior to version 7.9 contains a vulnerability in the endpoint service "rcdsvc". The vulnerability allows a remote attacker with valid credentials on the Windows system to execute arbitrary code with the privileges of the Windows SYSTEM user. The vulnerability is caused by improper deserialization over named pipes. Agents for Mac and Linux are unaffected by this vulnerability.
All versions between 6.3 and 7.8.2 are affected by this vulnerability.
Proofpoint has released fixes in versions 7.4.2, 7.5.3, 7.6.4, 7.7.4, 7.8.3, and 7.9
The patched versions of the agent are now available through the customer support portal.
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Proofpoint would like to thank Lee Christensen for their assistance.