The CERT Coordination Center (CERT/CC) published a vulnerability note regarding the risk of admin credential theft for users of PDQ Deploy.
PDQ Deploy is a service that enables system administrators to deploy software and updates to machines within their network. The CERT/CC notice, published Wednesday, describes how admin credentials used by PDQ Deploy to install software could be stolen by an attacker with local access prior to their deletion from the target machine.
The risk comes when an administrator uses PDQ Deploy’s “Deploy User” run mode, which temporarily creates credentials on the target device or devices for the purpose of installing software and updates. After installation, these credentials are deleted from the device; however, they can be retrieved from active memory prior to the deletion step using information stealing tools such as Mimikatz, according to CERT/CC.
“If using a domain user, these credentials created by the Deploy User domain account are static and can be used to compromise any other device that is enrolled in PDQ Deploy through Active Directory sharing this user, allowing for lateral movement,” CERT/CC Vulnerability Note VU #164934 stated.
CERT/CC noted that the “Local System” run mode is also susceptible to this exploit — although this mode uses a local system account with lower privileges to install software, it still uses the “Deploy User” account to connect to the device and initiate the local system account, risking credential theft on that machine.
PDQ Deploy was notified of the issue in July 2024 and said in a response that the risk is “due to long-established and well-understood vulnerabilities in Microsoft Windows that enable credentials in active memory to be extracted.”
Users are advised by PDQ Deploy to mitigate the issue by using the Windows Local Administrator Password Solution (LAPS) to create credentials specific to each endpoint when using PDQ Deploy and by using the principle of least privilege when selecting credentials, ensuring credentials created on target machines only grant the necessary privileges to run the desired commands.
“Do not use domain administrator credentials unless you are automating actions on a domain controller — and if you must make use of such credentials, use them for this purpose only, using a lower-permission set of credentials for all other deployments, scans, and endpoints,” PDQ Deploy stated.
CERT/CC also recommended the use of Windows LAPS as a solution to the issue and noted that the “Logged on User” deploy mode is a more secure option that uses the active credentials of the currently logged-in user to create the necessary services to deploy software and updates. However, this alternative is only available on the Enterprise version of PDQ Deploy and requires user action to complete installations.
PDQ Deploy has been exploited by threat actors in the past: in April 2024, an attacker compromised an organization and attempted to use PDQ Deploy to spread Medusa ransomware to other machines, ThreatDown reported. InfoGuard Head of Investigations Stephan Berger reported a similar case in 2022, where PDQ Deploy was used to run ransomware on target machines.
