CVE-1999-1366 identifies a vulnerability in Pegasus Mail client version 3.0 and earlier, where the application uses weak encryption to store POP3 passwords within the pmail.ini configuration file. This weak encryption scheme allows local users with access to the file system to easily decrypt and retrieve stored passwords. Since the passwords are stored locally and protected only by a weak cryptographic method, an attacker or unauthorized user who gains local access to the system can compromise the confidentiality of the user's email credentials. This vulnerability does not require network access or remote exploitation; it is purely a local privilege issue. The weakness impacts the confidentiality and integrity of email accounts by exposing credentials that could be used to access email messages or impersonate the user. The vulnerability has a CVSS score of 3.6 (low severity), reflecting that it requires local access, has low attack complexity, no authentication is needed beyond local access, and impacts confidentiality and integrity but not availability. No patches or fixes are available for this issue, and there are no known exploits in the wild. Given the age of the vulnerability (published in 1999) and the product version affected, this issue is primarily relevant to legacy systems still running Pegasus Mail 3.0 or earlier.

For European organizations, the impact of this vulnerability is generally low due to the age of the software and the requirement for local access to exploit it. However, organizations that maintain legacy systems or have users still running Pegasus Mail 3.0 or earlier could be at risk of credential compromise if an attacker gains local access to those systems. Compromised POP3 credentials could lead to unauthorized access to email accounts, potentially exposing sensitive communications and internal information. This could affect confidentiality and integrity of email data, which is critical for business operations and compliance with data protection regulations such as GDPR. The vulnerability does not allow remote exploitation, so the risk is limited to insider threats or attackers who have already breached perimeter defenses. Nonetheless, any exposure of email credentials can facilitate further lateral movement or phishing attacks within an organization.

To mitigate this vulnerability, European organizations should first identify any systems still running Pegasus Mail version 3.0 or earlier and plan to upgrade to a more recent, supported email client that uses strong encryption for credential storage. If upgrading is not immediately possible, restrict local access to affected systems by enforcing strict access controls and monitoring for unauthorized access attempts. Encrypt the entire user profile or home directory to protect configuration files from unauthorized reading. Educate users about the risks of storing passwords in weakly encrypted files and encourage the use of secure password management solutions. Additionally, implement endpoint detection and response (EDR) tools to detect suspicious local activity that could indicate attempts to access or extract credentials. Regularly audit systems for legacy software and remove or replace outdated applications to reduce attack surface.