Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated Critical on the CVSS scale. 

We would like to thank Mohamad Shokor for working with us to help protect our clients regarding Default Operators.  Pega issued this Security Advisory to remind clients of our leading practices as found in our installation and security checklist guides. 

The researcher contacted clients who had not changed the passwords of their default operators.

For all clients, guidance is being provided as follows:  https://docs.pega.com/bundle/platform-88/page/platform/security/securit….

To prevent unauthorized access with default passwords, change the passwords for all default operators. Disable or delete the operator IDs that you do not plan to use.
Note: The passwords should be changed for disabled operators as well. 

It is very important to keep your Pega systems current on the latest patch releases.

For more detailed information, please review your Client Advisory, [CAD-] case that was provided to your security and administrator contacts on April 24, 2023, in My Support Portal. 

 CVE Details

*In an effort to more accurately represent the C23 vulnerability we opted to break it out into two separate CVE’s, one for versions 6.1-7.3.1 and a second for versions 7.4- 8.8.x.