Holes have been reported in Bitdefender's Gravity end-point protection platform that allow hackers to target corporate infrastructure.
Researcher Stefan Viehbock of SEC Consult Vulnerability Lab said the flaw affecting the latest version provided an entry point for attackers to move laterally through the network.
"Attackers are able to completely compromise the Bitdefender
GravityZone solution as they can gain system and database level access,"
Viehbock said in an advisory.
"Furthermore attackers can manage all endpoints."
contained three vulnerabilities, two of which were patched including an
unauthenticated local file disclosure in the platforms' web console and
update server that allowed attackers to read arbitrary files -
including cleartext passwords - "from the filesystem with the privileges
of the nginx operating system user."
Bitdefender also patched
missing authentication for particular scripts in the web user interface
that granted attackers access to admin functions.
A remaining flaw
meant the MongoDB database could be accessed and configuration data
altered using hardcoded username and password credentials that users
could not change.
The security vendor planned to patch the
remaining flaw at the end of the month. Security researchers recommended
customers stop using the platform until a patch was released and a
"thorough security review" was performed by security pros.