search cancel

Vulnerability scanner detects Symantec Endpoint Protection Manager as vulnerable to CVE-2021-40438


Article ID: 230040


Updated On:


Endpoint Protection


During an audit you receive a report that Symantec Endpoint Protection Manager's are vulnerable to CVE-2021-40438 and you would like to know how to mitigate the issue.


Server 2012
Server 2016
Server 2019
Server 2022


Symantec Endpoint Protection Manager:
14.3 RU1
14.3 RU1.MP1
14.3 RU2
14.3 RU3


Apache used in current builds of Symantec Endpoint Protection Manager may appear in basic vulnerability audit reports for CVE-2021-40438 because the audit tool in use did no fully validate the Symantec Endpoint Protection Manager 'loaded modules' or 'properties.conf' settings file and erroneously flagged the device. 


Symantec Endpoint Protection Manager 14.3 RU3 is not vulnerable to CVE-2021-40438 in its default state.  It only becomes vulnerable if you have modified the Symantec Endpoint Protection Manager properties.conf and manually set up a reverse proxy (details below).

How you become vulnerable to CVE-2021-40438::
CVE-2021-40438 requires an administrator with local Symantec Endpoint Protection Manager hard drive access to set up a reverse proxy per this KB - 

If you have not executed the instructions in the above link,  you are not vulnerable as you must enable the function in the properties.conf manually to load the affected module.  Unmodified SEPMs operating in a default install state do not load these modules. is safe from CVE-2021-40438 as long as it is not being used as a reverse proxy per the KB outlined above.