Advisory Details

This vulnerability allows attackers to recover user passwords on vulnerable installations of Trend Micro Encryption for Email Gateway. An attacker must first obtain access to the user database on the target system in order to exploit this vulnerability.

The specific flaw exists within the DBCrypto class. When storing user passwords, the process stores them in a recoverable format using a hard-coded key. An attacker can then leverage this vulnerability to decrypt existing passwords.

• 2018-01-02 - Vulnerability reported to vendor
• 2018-05-04 - Coordinated public release of advisory
• 2018-05-04 - Advisory Updated