CVE-2022-0862

Name of the Vulnerable Software and Affected Versions McAfee Enterprise ePolicy Orchestrator versions prior to 5.10 Update 13

Description A lack of password change protection in a depreciated API allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user.

Recommendations For versions prior to 5.10 Update 13, update to version 5.10 Update 13 or later to resolve the issue. As a temporary workaround, consider disabling the depreciated API until a patch is available. Restrict access to the API to minimize the risk of exploitation. Avoid using the API for password changes until the issue is resolved.