Blog / Security
Every remote command Nexus runs on a device is cryptographically signed — here is why
Remote scripting and patch deployment are two of the most useful things an endpoint agent can do — and two of the most dangerous if the authorization model behind them is weak. If an attacker can convince an agent that a malicious command came from the management platform, they get remote code execution across every device that agent is installed on. That is not a hypothetical; it is the exact failure mode security teams ask RMM vendors about first.
The Nexus endpoint agent does not trust a command because it arrived over the right connection. Every job — a script, a patch instruction, a remote-control session request — is signed with an Ed25519 key on the platform side before it ever reaches a device, and the agent verifies that signature before it will execute anything.
Signed, and default-deny
- Every remote job is Ed25519-signed by the platform — a device will not execute a job it cannot cryptographically verify.
- A default-deny capability registry sits in front of that: today, low-risk classes like echo, ping, and inventory collection are enabled, and higher-risk classes like arbitrary patch-apply or script execution are explicitly gated — nothing is implicitly trusted.
- The agent itself is outbound-only, the same architecture as the network monitoring agent — it phones home for jobs; nothing reaches in to hand it one.
That combination — signed authorization plus a default-deny registry — means the question "what can an attacker who compromises the management plane actually do to my endpoints" has a narrower, more specific answer than "whatever the RMM console can do," which is the honest answer for a lot of legacy tooling.
Patch deployment with ring rollout and auto-halt is live end-to-end on real hardware in our own practice today; remote scripting and remote control ride the same signed-job pipeline. We'd rather describe the actual cryptography than say "enterprise-grade security" and leave it there — ask us to show the signature verification path directly if you want to see it before you trust it.