-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2026-001 Product: WithSecure Elements EDR and EPP for Computers Premium Version 25.5 Manufacturer: WithSecure Affected Version(s): At least version 25.5 Tested Version(s): Version 25.5 Vulnerability Type: Improper Handling of Insufficient Permissions or Privileges (CWE-280) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2026-01-22 Public Disclosure: 2026-03-26 Author of Advisory: SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: WithSecure Elements EDR is an endpoint protection software by WithSecure, formerly F-Secure.[1] As typical for EDR software, a function to isolate clients from the network is offered to prevent lateral movement of attackers on systems.[2] However, this function does not appear to isolate the client sufficiently. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: After isolation, only domain name resolution and incoming connections seem to be blocked. Outgoing ICMP, TCP, and UDP connections to internal and public networks can still be successfully initiated by the isolated client. Furthermore, already established TCP connections are not forcefully disconnected. As already established TCP connections are not forcefully closed when clients are isolated, the intended isolation effect may not be sufficient in configurations with VPNs or other network tunnels like SSH. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Establish an SSH connection from a test client to a server. 2. Activate endpoint isolation in the dashboard. 3. Observe that the opened SSH connection is not forcefully closed, public and private IP addresses can still be pinged, and new connections can be established. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: There is no solution available yet. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2026-01-22: Vulnerability reported to manufacturer 2026-03-26: Vulnerability publicly disclosed as no reasonable communication could be established via the responsible disclosure process of the manufacturer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website of WithSecure https://www.withsecure.com/en/ [2] Information website of WithSecure about manual isolation function https://community.withsecure.com/en/kb/articles/32444-how-can-i- manually-isolate-client-security-hosts-from-the-network-with-withsecure- policy-manager [3] SySS Security Advisory SYSS-2026-001 https://www.syss.de/SYSS-2026-001 [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4TVOI2CRqFyeFFd6KN+zpwqYqdQFAmnFLbEACgkQKN+zpwqY qdQzJA//RaW2MK8bmOePYvVCl2iY0v+4fdHgD/fWlgbFA8qDCzo/PdxR3n0O6Kdt CsaysOb3dbwWvy/eKxLhrqrjh+h734/Vs0Y5PTM80hFDZ/om/AdjU8cfo8TpJ6nn jvhlNYvkL7YB/Tu3vMtKsKaYaBsZIh8tDLNIebnDXcqbjGSHQfxndPdHw0gDgDHo the3FIl7c+nIz9W5HxVwfeeonDJ/HsSq0K/4KY6WlHuSt8VbNCeVLYyNA5wpeWkN 73A8XUb16syW0Oju+4nWg1eqmGoQfJHn27tCNgyju9ISNxV6AKLzw/pQSQpBJypk tskiGk5BTcGD1uDcEzvtcw4lvA4DAmN+Elntqc2y7BvmYTFx5v544h4Zm9dA2q3G djum+4We2Cs1PCrNpuzHkcAi+glR2TCqNpi0F2fzBhYBnvU5aRA3B4+BOnD10P0O il8hR4yKX68VOAIly45MrsT9XYlfv+lfyr5f9+s8lz1e+StqE1myqzY+We13m+pO fWd81cOEXMvN+QP6Dtm+aQbdypdGqdldEyS2Qw6ZAhQWCNiznGO6LSGBpo4haDpy +/Wy7sJqTBF8SdLpsksZnClko+0B8sGQdNbZZEdrCJD1jpmZmQLehWzsizRIVP4o Gmt2WAKFVZ99CqM5dVmbFXKQT5/m8jfSokBIX362EBhed5nCCxY= =kyLk -----END PGP SIGNATURE-----