CVE-2024-10635

Summary

Enterprise Protection contains an improper input validation vulnerability in attachment defense that allows an unauthenticated remote attacker to bypass attachment scanning security policy by sending a malicious S/MIME attachment with an opaque signature. When opened by a recipient in a downstream email client, the malicious attachment could cause partial loss of integrity and confidentiality to their system.

Affected Software

VendorProductVersion RangeStatus
ProofpointEnterprise Protection8.18.6 < patch 5110affected
ProofpointEnterprise Protection8.20.6 < patch 5134affected
ProofpointEnterprise Protection8.21.0 < patch 5112affected

Weaknesses

  • CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References