CVE-2018-19233
Description
COMPAREX Miss Marple Enterprise Edition before 2.0 allows local users to execute arbitrary code by reading the user name and encrypted password hard-coded in an Inventory Agent configuration file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local users can read hardcoded encrypted credentials in Miss Marple Agent config file, decrypt them with disclosed AES key, and execute arbitrary code on the remote server.
Vulnerability
Miss Marple Enterprise Edition before version 2.0 contains a hardcoded username and encrypted password in the Inventory Agent configuration file. The encryption uses AES-256 with a hardcoded key and initialization vector that can be obtained by decompiling the binary [1]. This allows local users to decrypt the credentials.
Exploitation
An attacker with local access to the configuration file reads the encrypted password and username. Using the hardcoded AES key and IV extracted from the binary, the attacker decrypts the password. The credentials are for a remote server used for inventory file deployment. The attacker can then authenticate to that server and execute arbitrary code via malicious updates [1]. No user interaction beyond local access is required.
Impact
Successful exploitation enables remote code execution on the inventory server, potentially leading to full compromise of the server and all Miss Marple Agents receiving updates. This can result in information disclosure, data manipulation, and lateral movement within the network [1].
Mitigation
The vendor provides a patch; users should upgrade to the latest version of Miss Marple Enterprise Edition immediately [1]. No workaround is mentioned. The product is not known to be listed on CISA KEV.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded AES-256 encryption key and initialization vector in the agent binary allow decryption of the stored password."
Attack vector
A local attacker reads the configuration file of the Miss Marple Inventory Agent to obtain the username and the encrypted password. By decompiling the agent binary (MMIA.exe), the attacker discovers the hardcoded AES-256 key and initialization vector used to encrypt the password [ref_id=1]. Decrypting the password yields valid credentials for the remote server, allowing the attacker to deploy malicious updates via that server to all Miss Marple Agents [ref_id=1].
Affected code
The Miss Marple Inventory Agent configuration file stores a username and an encrypted password. The encryption method is AES-256 with a hardcoded key and initialization vector, which can be extracted by decompiling the MMIA.exe binary [ref_id=1].
What the fix does
The vendor provides a patch and users are urged to upgrade to the latest version available [ref_id=1]. The advisory does not include a specific patch diff, but the remediation is to remove the hardcoded cryptographic material from the agent binary and configuration, and to avoid storing decryptable credentials in configuration files.
Preconditions
- inputAttacker must have local access to the Miss Marple Inventory Agent configuration file and the MMIA.exe binary.
- inputAttacker must be able to decompile the binary to extract the hardcoded AES key and IV.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/150427/Miss-Marple-Enterprise-Edition-File-Upload-Hardcoded-AES-Key.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Nov/55mitremailing-listx_refsource_FULLDISC
- seclists.org/bugtraq/2018/Nov/37mitremailing-listx_refsource_BUGTRAQ
- www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-miss-marple-enterprise-edition/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.