If you’re a user of SecurEnvoy SecurMail and you haven’t yet implemented the latest patch, do so now – or risk getting your encrypted emails read by attackers. The warning comes from SEC Consult researchers, who discovered a number of vulnerabilities in the product that break its core security promises.
They found seven CVE-assigned flaws, including path traversal and insecure direct object reference vulnerabilities that could allow a legitimate recipient to read emails sent to other recipients in plain text, and a missing authentication and authorization flaw that could allow an attacker to extract or modify emails stored on the server or overwrite or delete e-mails stored in other users’ inboxes. And that is likely just the beginning.
“As we have identified several critical vulnerabilities within a very short time frame [during a brief crash test] we expect numerous other vulnerabilities to be present,” Johannes Greil, the Head of SEC Consult Vulnerability Lab, told Help Net Security.
Read more about the critical flaws that have been discovered in SecurEnvoy SecurMail on Help Net Security.