Insider Threat Management Remote Code Execution Vulnerability


Insider Threat Management Windows Agent Remote Code Execution Vulnerability,

Advisory ID: PFPT-SA-2020-0002

The Proofpoint Insider Threat Management Windows Agent (formerly ObserveIT Windows Agent) prior to version 7.9 contains a vulnerability in the endpoint service "rcdsvc". The vulnerability allows a remote attacker with valid credentials on the Windows system to execute arbitrary code with the privileges of the Windows SYSTEM user. The vulnerability is caused by improper deserialization over named pipes. Agents for Mac and Linux are unaffected by this vulnerability.

Patch Information

All versions between 6.3 and 7.8.2 are affected by this vulnerability.

Proofpoint has released fixes in versions 7.4.2, 7.5.3, 7.6.4, 7.7.4, 7.8.3, and 7.9

The patched versions of the agent are now available through the customer support portal.


8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


Proofpoint would like to thank Lee Christensen for their assistance.

Questions or comments?

Open a Support call or contact Support via your hotline phone number. Further updates will be posted as needed.