Security Experts:

Connect with us

Hi, what are you looking for?



Symantec Patches Critical Vulnerabilities in Endpoint Protection

Flaws in Symantec Endpoint Protection Could Allow Hackers to Compromise Corporate Networks

Flaws in Symantec Endpoint Protection Could Allow Hackers to Compromise Corporate Networks

Researchers at penetration testing company Code White have identified several critical vulnerabilities in Symantec Endpoint Protection (SEP) 12.1. Experts say an attacker could exploit the security holes to gain access to an organization’s entire corporate network.

Code White discovered that the Symantec Endpoint Protection Manager (SEPM) is plagued by a total of six vulnerabilities. The list includes an authentication bypass (CVE-2015-1486), three path traversals (CVE-2015-1487, CVE-2015-1488, CVE-2015-1490), a privilege escalation (CVE-2015-1489), and multiple SQL injections (CVE-2015-1491). Researchers also found that SEP clients are plagued by a high severity binary planting flaw (CVE-2015-1492).

“In combination, [the vulnerabilities] effectively allow an unauthenticated attacker the execution of arbitrary commands with ‘NT AuthoritySYSTEM’ privileges on both the SEP Manager (SEPM) server, as well as on SEP clients running Windows. That can result in the full compromise of a whole corporate network,” Code White researchers said in a blog post.

According to experts, an attacker can compromise the SEPM server by first exploiting CVE-2015-1486 to access SEPM without authentication. Then, attackers could gain full access to the SEPM server by leveraging one of the path traversal bugs (CVE-2015-1487) and a privilege escalation weakness (CVE-2015-1489).

Full compromise of SEP clients can be achieved by exploiting the binary planting vulnerability, which allows the execution of arbitrary code with “NT AuthoritySYSTEM” privileges on Windows clients.

“We have successfully demonstrated that a centralized enterprise management solution like the Symantec Endpoint Protection suite is a critical asset in a corporate network as unauthorized access to the manager can have unforeseen influence on the managed clients,” Code White said.

Symantec has patched these vulnerabilities with the release of SEP 12.1 RU6 MP1. All prior versions of SEP 12.1 are affected.

Since proof-of-concept (PoC) code has been publicly released, users are advised to update their SEP installations as soon as possible. Those who are unable to update right away can apply mitigations recommended by Symantec. The security firm will also push out IPS signatures to detect and prevent attack attempts leveraging some of the vulnerabilities.

“In a recommended installation, the Symantec Endpoint Protection Manager server should never be accessible external to the network which still allows internal attack attempts from malicious less-privileged users but should restrict external attack attempts,” Symantec said in an advisory. “However, a malicious, non-authorized individual could leverage known methods of trust exploitations to compromise a client user in an attempt to gain network/system access. These exploitation attempts generally require enticing a previously authenticated user to access a malicious link in a context such as a web link or in an HTTP email.”

The company has pointed out that it hasn’t seen any exploitation attempts or adverse customer impact from these flaws.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.