It was discovered that malicious clients can trick the server component of the Bcfg2 configuration management system to execute commands with root privileges.