Security Advisory: Email Security Password Reset Link Expiration Vulnerability (CVE-2018-16529)

Summary

Details about the password reset link expiration vulnerability in Forcepoint Email Security version 8.5.x. Take the actions recommended in this security advisory immediately to mitigate this issue.

Information

A password reset vulnerability has been discovered in Forcepoint Email Security 8.5.x. The password reset URL can be used after the intended expiration period or after the link has already been used. We would like to thank Eitan Shav from Citadel Cyber Security Consulting for bringing this to our attention.

Resolution

This vulnerability has been resolved in Hotfix 002, which has been released for 8.5.0 and 8.5.3. This fix will cause the password reset functionality to behave as expected. These hotfixes are available on the Forcepoint Support page, under Downloads.