Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Multiple security vulnerabilities in Secure Elements Class 5 AVR (EVM) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Multiple security vulnerabilities in Secure Elements Class 5 AVR (EVM)
US-CERT published 19 (!!!) advisories about vulnerabilities in Secure Element's Class 5 AVR (Automated Vulnerability Remediation). The product is also known as C5 EVM (Enterprise Vulnerability Management). It allows auditing, evaluation and compliance with various policies. You can find more information about the product at

There are too many vulnerabilities to list them here, but they look very bad ? starting from hard-coded user IDs and passwords, over same encryption settings for every message session to typical input validation vulnerabilities.

You can find the complete list at US-CERT's web site;

The vulnerability is reportedly patched in the latest version of the product, C5 EVM 2.8.1.

Thanks to Juha-Matti for reporting this.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich February 2022


400 Posts
ISC Handler
May 31st 2006

Sign Up for Free or Log In to start participating in the conversation!