Critical Vulnerabilities in Trend Micro's Products

Published on 17 Mar 2020

Updated on 17 Mar 2020

Trend Micro has released critical patches to address multiple vulnerabilities in their Trend Micro Apex One, OfficeScan XG, and Worry-Free Business Security products. Active attacks on some of these vulnerabilities have been observed.

The vulnerabilities are tabled based on their severity classification, which is based on their CVSSv3 base scores:

Critical vulnerabilities with a base score of 9.0 to 10.0
High vulnerabilities with a base score of 7.0 to 8.9
Medium vulnerabilities with a base score of 4.0 to 6.9
Low vulnerabilities with a base score of 0.1 to 3.9
None vulnerabilities with a base score of 0.0

 

VULNERABILITIES

CVE Number Description Base Score Affected Product
CVE-2020-8467 This vulnerability exists in a migration tool component which could allow a remote attacker to execute arbitrary code on affected installations.

 

Trend Micro has observed at least one active attempt of potential exploitation of this vulnerability in the wild.

 9.1 Trend Micro Apex One 2019

OfficeScan XG
OfficeScan XG SP1

 CVE-2020-8468 This vulnerability exists in a content validation escape which could allow an attacker to manipulate certain agent client components.

 

Trend Micro has observed at least one active attempt of potential exploitation of this vulnerability in the wild.

 8.0 Trend Micro Apex One 2019

OfficeScan XG

OfficeScan XG SP1

Worry-Free Business Security Ver. 9.5

Worry-Free Business Security Ver. 10.0

 

CVE-2020-8470

This vulnerability exists in a service DLL file which could allow an attacker to delete any file on the server with SYSTEM level privileges.

 10 Trend Micro Apex One 2019

OfficeScan XG

OfficeScan XG SP1

Worry-Free Business Security Ver. 9.5

Worry-Free Business Security Ver. 10.0

 

CVE-2020-8598 This vulnerability exists in a service DLL file which could allow a remote attacker to execute arbitrary code on affected installations with SYSTEM level privileges.  10 Trend Micro Apex One 2019

OfficeScan XG

OfficeScan XG SP1

Worry-Free Business Security Ver. 9.5

Worry-Free Business Security Ver. 10.0

 

 CVE-2020-8599

This vulnerability exists in an EXE file which could allow a remote attacker to write arbitrary data to an arbitrary path on affected installations and bypass ROOT login.

 

 10 Trend Micro Apex One 2019

OfficeScan XG

OfficeScan XG SP1

 

 CVE-2020-8600

This vulnerability exists in the directory traversal which could allow an attacker to manipulate a key file to bypass authentication.

 

 8.6

Worry-Free Business Security Ver. 9.5
Worry-Free Business Security Ver. 10.0

 

Users and system administrators are strongly advised to update to the latest builds as soon as possible