CVE-2018-18466

Name of the Vulnerable Software and Affected Versions SecurEnvoy SecurAccess version 9.3.502

Description An issue was discovered in SecurEnvoy SecurAccess. When put in Debug mode and used for RDP connections, the application stores emergency credentials in cleartext in the logs, which can be accessed by anyone. The vendor disputes this as a vulnerability, stating that disclosure of a local account password is only achievable when a custom registry key is added to the Windows registry, requiring administrator access.

Recommendations For SecurEnvoy SecurAccess version 9.3.502, consider disabling the Debug mode when not necessary, especially for RDP connections, to minimize the risk of exposing emergency credentials. Restrict access to the DEBUG folder to prevent unauthorized access to the logs. As a temporary workaround, avoid using the custom registry key provided by support staff for troubleshooting, unless absolutely necessary, and ensure that administrator access is strictly controlled. At the moment, there is no information about a newer version that contains a fix for this vulnerability.