Positive Technologies expert has discovered a vulnerability in McAfee ePO security management system

The vulnerability allowed attackers to perform actions on behalf of system administrators, such as disabling protection and developing an attack on a network

McAfee has acknowledged Positive Technologies expert Mikhail Klyuchnikov for eliminating the vulnerability in McAfee ePolicy Orchestrator (McAfee ePO), a security management console that helps protect endpoints, networks, and data, and ensure compliance with security standards. More than 36,000 businesses and organizations use the McAfee ePO console.

The vulnerability CVE-2020-7318 received a CVSS v3.1 score of 4.6.

Mikhail Klyuchnikov explained: "The vulnerability is caused by improper filtering of user data. It is a classic XSS vulnerability. Attackers can trick system administrators into following a malicious link and performing illegitimate actions in the administrator panel on the administrator's behalf, by exploiting the panel's standard functions, or search for additional vulnerabilities to breach other network segments. Attackers can be both internal and external."

To eliminate the vulnerability, users need to update the system to ePO 5.10.0 Update 9.

Previously, Positive Technologies had discovered a dangerous vulnerability in McAfee ATM security software.