CVE-2022-0862: 
McAfee ePolicy Orchestrator vulnerability analysis and mitigation

A lack of password change protection vulnerability was identified in McAfee Enterprise ePolicy Orchestrator (ePO)'s deprecated API versions prior to 5.10 Update 13. The vulnerability, tracked as CVE-2022-0862, was discovered and recorded on March 4, 2022. This security flaw affects the password change functionality in older versions of the ePO system (MITRE CVE).

The vulnerability exists in a deprecated API endpoint that lacks proper password change protection mechanisms. The functionality was previously removed from the User Interface in ePO 10, but the vulnerable API remained accessible until this security update. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) and CWE-287 (Improper Authentication) (NVD).

If exploited, this vulnerability allows remote attackers to change the password of a compromised session without knowledge of the existing user's password. This could lead to unauthorized access to affected systems and potential compromise of security controls managed through the ePO platform (MITRE CVE).

The vulnerability has been addressed in McAfee Enterprise ePolicy Orchestrator (ePO) 5.10 Update 13. The vulnerable API has been disabled, and the functionality was already removed from the User Interface in ePO 10. Organizations are advised to upgrade to the latest version to protect against this vulnerability (MITRE CVE).