High severity8.1NVD Advisory· Published Mar 11, 2017· Updated May 13, 2026

CVE-2017-6466

Description

F-Secure Software Updater 2.20, as distributed in several F-Secure products, downloads installation packages over plain http and does not perform file integrity validation after download. Man-in-the-middle attackers can replace the file with their own executable which will be executed under the SYSTEM account. Note that when Software Updater is configured to install updates automatically, it checks if the downloaded file is digitally signed by default, but does not check the author of the signature. When running in manual mode (default), no signature check is performed.

Affected products

F-Secure/Software Updater
cpe:2.3:a:f-secure:software_updater:2.20:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2017/Mar/28nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/96784nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000