Skip to content ↓ | Skip to navigation ↓

A new exploit tool has been released, specifically built to attack McAfee’s ePolicy Orchestrator (ePO). The exploit targets two vulnerabilities (CVE-2013-0140 and CVE-2013-0141) found in McAfee ePO versions 4.6.5 and earlier. The attacker must be on the local network in order to exploit these vulnerabilities.

The exploit tool allows an attacker on the local network to add rogue systems to an enterprise ePO server, steal domain credentials if they are cached within ePO, upload files to the ePO server, and execute commands on the ePO server as well as any systems managed by ePO.

McAfee issued a patch for these vulnerabilities last year. The exploit targets vulnerable versions  4.6.0 to 4.6.5, so if you have not updated now would be a good time to do so. Tripwire IP360 will detect CVE-2013-0140 and CVE-2013-0141 on your network, as well as the free Tripwire SecureScan tool.

A video was published last year showing the tool, but the tool itself was just recently released to the public:

Hacking Point of Sale
  • Jerome Nokin

    > The attacker must be on the local network in order to exploit these vulnerabilities.

    There is no such limitation actually. As soon as the ePO server is reachable, it can be compromised. No matter if you are inside or outside the network. Example: vulnerable ePO servers are currently exposed on the Internet.

  • Sorry my mistake, I made an assumption that nobody would have an ePO server open to the Internet. Shodan has proven me wrong once again.