CVE-2022-1257

MEDIUM

McAfee Agent < 5.7.6 - Insecure Storage of Sensitive Information in ma.db

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-1257. PoCs published by Keenan Scott, kayes817.

AI-analyzed exploit summary This PowerShell script exploits CVE-2022-1257 by extracting and decrypting credentials stored in the McAfee Agent's SQLite database (`ma.db`). It uses static encryption keys and TripleDES decryption to reveal plaintext passwords, demonstrating an insecure storage vulnerability.

Description

Insecure storage of sensitive information vulnerability in MA for Linux, macOS, and Windows prior to 5.7.6 allows a local user to gain access to sensitive information through storage in ma.db. The sensitive information has been moved to encrypted database files.

Exploits (2)

exploitdb WORKING POC

by Keenan Scott · textremotemultiple

https://www.exploit-db.com/exploits/52345

View Code ZIP pw:eip

This PowerShell script exploits CVE-2022-1257 by extracting and decrypting credentials stored in the McAfee Agent's SQLite database (`ma.db`). It uses static encryption keys and TripleDES decryption to reveal plaintext passwords, demonstrating an insecure storage vulnerability.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: McAfee Agent < 5.7.6

No auth needed

Prerequisites: Access to the local file system where `ma.db` is stored · Presence of `winsqlite3.dll`

MITRE ATT&CK

T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by kayes817 · poc

https://github.com/kayes817/CVE-2022-1257

View Code ZIP pw:eip

This PowerShell script exploits CVE-2022-1257 to dump and decrypt credentials from the Trellix Agent Database (ma.db) by leveraging static encryption keys and SQLite queries. It demonstrates the vulnerability by extracting and decrypting stored credentials using XOR and 3DES decryption.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: McAfee Trellix Agent (versions prior to 5.7.6)

No auth needed

Prerequisites: Access to the local file system where ma.db is stored · Presence of winsqlite3.dll · PowerShell execution privileges

MITRE ATT&CK

T1552 - Unsecured Credentials T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://kc.mcafee.com/corporate/index?page=content&id=SB10382

Scores

CVSS v3 6.1

EPSS 0.0018

EPSS Percentile 39.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Details

CWE

CWE-922

Status published

Products (1)

mcafee/agent < 5.7.6

Published Apr 14, 2022

Tracked Since Feb 18, 2026