// For flags

CVE-2018-6223

Trend Micro Encryption for Email Gateway Registration Authentication Bypass Vulnerability

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A missing authentication for appliance registration vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to manipulate the registration process of the product to reset configuration parameters.

Una vulnerabilidad de falta de autenticación para el registro de dispositivos en Trend Micro Email Encryption Gateway 5.5 podría permitir que un atacante manipule el proceso de registro del producto para reiniciar los parámetros de configuración.

This vulnerability allows remote attackers to reset the Administrator password on vulnerable installations of Trend Micro Encryption for Email Gateway. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the product registration process. The issue results from the lack of validating the product registration status prior to performing product registration. An attacker can leverage this vulnerability to reset the Administrator password.

Trend Micro Email Encryption Gateway suffers from cleartext transmission of sensitive information, missing authentication, cross site request forgery, cross site scripting, and various other vulnerabilities.

*Credits: Steven Seeley of Source Incite
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-01-25 CVE Reserved
  • 2018-02-21 CVE Published
  • 2024-06-18 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-306: Missing Authentication for Critical Function
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Trendmicro
Search vendor "Trendmicro"
 Email Encryption Gateway
Search vendor "Trendmicro" for product "Email Encryption Gateway"
 5.5
Search vendor "Trendmicro" for product "Email Encryption Gateway" and version "5.5"
-
Affected