Now, researchers say they have uncovered a critical vulnerability in such a product from security firm FireEye that can give attackers full network access. According to Tavis Ormandy from Google, they have discovered an vulnerability in the NX, EX, AX, FX series of FireEye products. Ormandy says that the vulnerability makes it possible for attackers to penetrate a network by sending one of its members a single malicious e-mail, even if it’s never opened. Ormandy, who has already uncovered bugs in many anti-virus solutions in the past says that they have informed FireEye about the bug. Ormandy has explained in a blog post published Tuesday: For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap—the recipient wouldn’t even have to read the email, just receiving it would be enough. The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there’s a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones. “Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network,” the researchers reported. “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.” In a statement, a FireEye spokesman wrote: We released an automated remediation to customers just 6 hours after notification, mitigating any customer exposure by Saturday morning, December 5th and released a full, automated fix on Monday, December 7. In addition, we will be releasing a fix to support our out-of-contract customers. We are thankful for the opportunity to support researchers in the testing of our products and will continue to support their efforts and fully support their efforts to improve our products.