Urgent Action Required:  Pega Robotic Process Automation [RPA] and Workforce Intelligence Clients ONLY

Pega continually works to implement security controls designed to protect client environments. With this focus Pega has issued remediation updates for the following security vulnerabilities, rated High on the CVSS scale.  We would like to thank Skyler Knecht and William Martin for finding these vulnerabilities.

These vulnerabilities affect RPA and Workforce Intelligence desktop clients with Pega Synchronization Engine version 3.1.1 through 3.1.27. Only desktops with Pega Synchronization Engine installed are impacted by this issue.

A bad actor with non-admin user access to a client desktop, with Pega Synchronization Engine, could modify configuration files and execute malicious code on the client desktop that could provide them with Administrative access. 

We are not aware of any of our clients being compromised as a result of this vulnerability.

The remediation for this issue is to update client desktops to Pega Synchronization Engine version 3.1.30 or higher. Pega Synchronization Server can be used to complete the update.

When upgrading to Synchronization Engine version 3.1.30 or higher, you must first upgrade Pega Synchronization Sever to version 3.1.22.

Synchronization Server (3.1.22) and Synchronization Engine (3.1.30) have been released, and can be found within the Robot Runtime 22.1.8 download that is available from My.Pega.com. These new versions offer additional logging and other security benefits. 

Note that this software must be applied together, the new Synchronization Engine will not work without the new Synchronization Server. For best results install the Synchronization Server and use it to migrate Robot Runtime systems to Synchronization Engine 3.1.30.