No known exploits have hit the vulnerability, which affects every version of Symantec's Enterprise Security Manager but one.
Symantec on Tuesday patched a vulnerability in its Enterprise Security Manager tool that could enable a hacker to remotely control an infected computer.
The security vendor is warning users to update their software as soon as possible, saying this is a "high-risk" bug. All versions of ESM are vulnerable, except version 6.5.3, which includes the fixes and is not vulnerable.
A spokesman for Symantec said in an interview that the company isn't aware of any proof-of-concept code or exploits for this vulnerability.
The ESM tool is designed to discover and report vulnerabilities and security policy deviations, such as inappropriate passwords and missing patches.
The flaw lies in the fact that the tool does not authenticate someone who's making an upgrade request. That means a hacker could use the flaw to infect the system with malware.
"The vulnerability exists in the ESM agent remote upgrade interface," Symantec explained in an online advisory. "The ESM agent accepts remote upgrade requests from any entity that understands the upgrade protocol. The ESM agent does not currently verify that upgrades are from a trusted source. An attacker with knowledge of the agent protocol could deploy a piece of software that allows the attacker to control the host computer."
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.