CVE-2020-12618

Name of the Vulnerable Software and Affected Versions eM Client versions prior to 7.2.33412.0

Description The issue allows a man-in-the-middle attacker to obtain an email-validated S/MIME certificate from a trusted CA and replace the public key of the entity to be impersonated. This enables the attacker to decipher further communication. The entire attack could be accomplished by sending a single email.

Recommendations For versions prior to 7.2.33412.0, update to version 7.2.33412.0 or later to resolve the issue. As a temporary workaround, consider disabling the automatic import of S/MIME certificates until a patch is available. Restrict access to sensitive email communications to minimize the risk of exploitation.