71 matches found
CVE-2021-36741
CVE-2021-36741 affects Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1. The root cause is an improper input validation that enables a remote attacker, who must have access to log in to the product management console, to upload arbitrary files ...
CVE-2021-36742
CVE-2021-36742 is an improper input validation vulnerability that affects Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1. The root cause is flawed input validation that lets a local attacker escalate privileges after obtaining the ability to r...
CVE-2020-8599
CVE-2020-8599 affects Trend Micro Apex One (2019) and OfficeScan XG servers. The issue is in a vulnerable EXE on the server that could let an unauthenticated remote attacker write arbitrary data to an arbitrary path and bypass ROOT login. The description indicates no authentication is required to...
CVE-2020-8467
CVE-2020-8467 affects Trend Micro Apex One (2019) and OfficeScan XG via a vulnerability in the migration tool component that enables remote code execution. The attack requires user authentication to be attempted. NVD scoring indicates high impact (CVSSv3.1 base 8.8; HIGH). CISA KEV catalogs this ...
CVE-2019-18187
CVE-2019-18187 affects Trend Micro OfficeScan versions 11.0 and XG (12.0). The issue is a directory traversal in ZIP handling that allows extracting files to a specific OfficeScan server folder, potentially enabling remote code execution. Exploitation requires an authenticated context (web servic...
CVE-2020-8468
CVE-2020-8468 affects Trend Micro Apex One (2019), OfficeScan XG and Worry‑Free Business Security agents. Described as a content validation escape vulnerability that could allow an attacker to manipulate agent client components; an attack requires user authentication. The connected documents prov...
CVE-2019-9492
CVE-2019-9492 is a DLL side-loading vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG. The issue allows an authenticated, locally logged-in attacker to execute code and terminate the product’s process, effectively disabling endpoint protection. The description states prerequisites are authe...
CVE-2020-8470
The CVE-2020-8470 entry concerns Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security server components. A vulnerable service DLL on the server could allow an unauthenticated attacker to delete arbitrary files with SYSTEM privileges. Public references indicate this is one o...
CVE-2020-8598
CVE-2020-8598 affects Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security servers (9.0/9.5/10.0). The vulnerability is in a server component: a vulnerable service DLL that could allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges. Publ...
CVE-2020-24562
Trend Micro OfficeScan XG SP1 on Windows is affected by a local privilege-escalation vulnerability (CVE-2020-24562) that lets an attacker who can execute low-privileged code create a hard link to an arbitrary file, enabling privilege escalation and potential code execution. Public sources in conn...
CVE-2019-14688
This CVE affects Trend Micro installer packages. A DLL hijack vulnerability was present in an installer version used by multiple Trend Micro products and could be exploited only during the initial product installation by an authorized user. The attacker must cause the target to place a malicious ...
CVE-2021-25232
This CVE (CVE-2021-25232) affects Trend Micro Apex One (on‑prem and SaaS) and OfficeScan XG SP1. The issue is an improper access control that allows an unauthenticated user to obtain information about the SQL database. ZDI indicates remote exploitation via the web console (default port 4343), ena...
CVE-2017-14089
CVE-2017-14089 affects Trend Micro OfficeScan 11.0 and XG (12.0). The vulnerability is described as an unauthorized remote memory corruption in the CGI component cgiShowClientAdm.exe, exploitable by an unauthenticated attacker over the network to cause memory corruption (potential denial of servi...
CVE-2017-14083
CVE-2017-14083 is a vulnerability in Trend Micro OfficeScan 11.0 and XG (12.0) described as an encryption key disclosure. The core issue allows remote unauthenticated users who can access the system to download the OfficeScan encryption file (encryption key). Connected documents corroborate this ...
CVE-2017-14086
CVE-2017-14086 describes a pre-auth vulnerability in Trend Micro OfficeScan 11.0 and XG (12.0) where unauthenticated actors who can reach the OfficeScan server may trigger the fcgiOfcDDA.exe process or induce INI corruption, potentially causing disk space exhaustion from dump files due to continu...
CVE-2021-25246
CVE-2021-25246 concerns Trend Micro Apex One (including Apex One as a Service, OfficeScan XG SP1, and Worry-Free Business Security) where an improper access control information disclosure allows an unauthenticated attacker to create a bogus agent on an affected server to perform valid configurati...
CVE-2017-14087
CVE-2017-14087 is a Host Header Injection vulnerability in Trend Micro OfficeScan XG (12.0) and OfficeScan 11.x. Public materials in the provided documents indicate affected versions include OfficeScan 11.x pre-CP 6426 SP1 and 12.x pre-CP 1708. The issue allows an attacker to spoof the Host heade...
CVE-2018-10507
CVE-2018-10507 concerns Trend Micro OfficeScan (11.0 SP1 and XG) where an attacker with administrator privileges can bypass or render the Unauthorized Change Prevention feature inoperable. The vulnerability affects OfficeScan XG v11.0 (and related SP1) and enables bypass of protection mechanisms ...
CVE-2017-14084
Trend Micro OfficeScan 11.0 and XG/12.0 are affected by a Man-in-the-Middle (MITM) remote code execution vulnerability. Public NASL/Nessus entries describe a remote memory corruption/RCE condition tied to OfficeScan components (e.g., cgiShowClientAdm.exe) caused by improper input handling, enabli...
CVE-2021-32464
CVE-2021-32464 is a local privilege-escalation vulnerability in Trend Micro Apex One, Apex One as a Service and Worry-Free Business Security Services. The issue arises from incorrect permission assignments on a resource (script) that an attacker can modify before execution after gaining low-privi...
CVE-2021-32465
CVE-2021-32465 is an authenticated bypass vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1. Affected component is the patching/permissions handling where permissions are not preserved during certain operations, enabling a remote attacker to bypass authentication....
CVE-2008-2433
CVE-2008-2433 affects Trend Micro OfficeScan 7.0–8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5–3.6. The root cause is insufficient entropy in the web management console’s session token generation, which relies only on login time (granularity of one second). This wea...
CVE-2019-18189
CVE-2019-18189 is a directory-traversal vulnerability in Trend Micro Apex One, OfficeScan (11.0, XG) and Worry-Free Business Security (9.5, 10.0) that can bypass authentication and allow an attacker to log on to the product management console as root without authentication. Affected products and ...
CVE-2021-25234
CVE-2021-25234 is an improper access control vulnerability affecting Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1. The connected sources describe an unauthenticated attacker being able to obtain information about a specific notification con...
CVE-2021-25248
CVE-2021-25248 affects Trend Micro Apex One (on‑prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1/Services). The root cause is an out‑of‑bounds read due to insufficient validation in the vulnerable component (TmCCSF.exe per ZDI-21-118), allowing a local attacker with c...
CVE-2021-25243
The CVE-2021-25243 entry describes an improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 that could allow an unauthenticated attacker to obtain patch level information. Connected documents confirm concrete...
CVE-2018-6218
CVE-2018-6218 describes a DLL hijacking issue in Trend Micro’s User-Mode Hooking Module (UMH). The root cause is insecure DLL loading (DLL search order) in Trend Micro products, enabling arbitrary code execution if a malicious DLL is located where the installer/UMH loader loads it. Public documen...
CVE-2021-25229
CVE-2021-25229 concerns an improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1 that could allow an unauthenticated user to obtain information about the database server. The core issue is access control failure in the product’s components, enablin...
CVE-2021-25233
CVE-2021-25233 is an improper access control vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 that allows an unauthenticated attacker to disclose information about a specific configuration download file. The issue stems from im...
CVE-2021-25249
CVE-2021-25249 involves an out-of-bounds write information disclosure in Trend Micro Apex One (on‑prem and SaaS), OfficeScan XG SP1, and Worry‑Free Business Security (10.0 SP1/Services). The connected ZDI advisory details a local privilege escalation flaw in the TmCCSF.exe component, caused by la...
CVE-2016-1223
CVE-2016-1223 affects Trend Micro OfficeScan 11.0 and Worry-Free Business Security variants (Security Services 5.x and 9.0). The OpenVAS entries describe a directory traversal vulnerability in Trend Micro products that can allow remote attackers with LAN access to read arbitrary files through uns...
CVE-2017-14085
CVE-2017-14085 affects Trend Micro OfficeScan 11.0 and XG (12.0) where unauthenticated remote access can query the network NT domain or PHP version/modules via a web-facing OfficeScan server. The CVE is documented as an information-disclosure vulnerability with unauthorized access to server-side ...
CVE-2021-25228
This CVE affects Trend Micro OfficeScan/XG and related Apex One/Worry‑Free components. The root cause is improper access control in the web console, allowing an unauthenticated attacker to disclose information (hotfix history/sensitive data). The vulnerability is exploitable remotely via the affe...
CVE-2021-25238
CVE-2021-25238 maps to Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1. The connected ZDI advisory describes an improper access control vulnerability in the web console that allows unauthenticated remote attackers to disclose information about an agent’s managing port, via...
CVE-2021-25240
The CVE-2021-25240 entry concerns Trend Micro OfficeScan Apex One family products (Apex One on-prem and SaaS, OfficeScan XG SP1, Worry-Free Business Security 10.0 SP1) with an improper access control flaw. The connected advisories confirm that an unauthenticated attacker can disclose x64 agent ho...
CVE-2021-25230
The CVE-2021-25230 entry concerns Trend Micro Apex One (on‑prem and SaaS) and OfficeScan XG SP1 with an improper access control flaw that allows an unauthenticated user to obtain information from a scan connection exception file. Public disclosures map the vulnerability to a fault in the web cons...
CVE-2021-25235
This CVE (CVE-2021-25235) affects Trend Micro Apex One (on-prem and SaaS) and OfficeScan XG SP1. The root cause is an improper access control that allows an unauthenticated attacker to obtain information about a content inspection configuration file. The vulnerability enables information disclosu...
CVE-2019-9489
The CVE-2019-9489 entry describes a directory traversal vulnerability in Trend Micro products: Apex One, OfficeScan (XG and 11.0) , and Worry-Free Business Security (WFBS) 10.0, 9.5, 9.0 . The underlying issue allows an unauthenticated, remote attacker to send crafted URIs containing directory tr...
CVE-2020-28576
CVE-2020-28576 affects Trend Micro Apex One and OfficeScan XG SP1, with an improper access control information disclosure . The issue allows an unauthenticated attacker to connect to the product server and disclose version/build information. Public details from ZDI describe exploitation via the w...
CVE-2021-25231
CVE-2021-25231 affects Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1. The vulnerability is an improper access control that allows unauthenticated remote attackers to disclose information about a specific hotfix history file via the web conso...
CVE-2017-11393
Trend Micro OfficeScan is affected by a Proxy.php parameter parsing flaw that enables remote code execution via the tr parameter in the Web Console’s Proxy.php. Affected products include OfficeScan 11 and XG (12). The vulnerability allows code execution under the current service context; exploita...
CVE-2017-14088
Trend Micro OfficeScan (11.0 and XG) is affected by a local memory-corruption vulnerability in tmwfp.sys that allows a low-privilege attacker to gain kernel-level code execution. Exploitation relies on handling of IOCTLs in tmwfp.sys, enabling privilege escalation without user interaction. Severa...
CVE-2020-24559
CVE-2020-24559 affects Trend Micro Apex One, Worry-Free Business Security (macOS). A local privilege escalation allows an attacker who can run low-privileged code to manipulate a binary so it loads and executes a script from a user-writable folder, enabling arbitrary code execution as root. Publi...
CVE-2021-25239
CVE-2021-25239 affects Trend Micro Apex One (on-prem), OfficeScan XG SP1, and Worry‑Free Business Security 10.0 SP1. The issue is an improper access control that allows an unauthenticated user to obtain information about x86 agent hotfixes. The ZDI advisory notes that the vulnerability exists in ...
CVE-2018-3608
CVE-2018-3608 affects Trend Micro Maximum Security (Consumer) for 2018, specifically affected versions 12.0.1191 and below. The vulnerability resides in the User-Mode Hooking (UMH) driver and could allow a crafted network packet to cause code to be injected into other processes on a vulnerable sy...
CVE-2021-25236
CVE-2021-25236 describes a server-side request forgery (SSRF) information disclosure affecting Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1. According to connected sources, unauthenticated attackers can locate online agents via a specific sweep, with exploitation tied t...
CVE-2021-25252
CVE-2021-25252 concerns Trend Micro’s Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) experiencing a memory exhaustion vulnerability that can cause denial-of-service or a system freeze when processing specially crafted files. Affected components: VSAPI and ATSE in Trend Micro produc...
CVE-2018-10506
Trend Micro OfficeScan (11.0 SP1 and XG) is affected by an out-of-bounds read information disclosure vulnerability in the TMWFP driver, triggered by processing IOCTL 0x220004. An attacker who can run low-privileged code locally can disclose sensitive information. The vulnerability details come fr...
CVE-2020-28583
The CVE-2020-28583 entry concerns Trend Micro Apex One and OfficeScan XG SP1 with an improper access control information disclosure. The connected documents explicitly describe that an unauthenticated attacker can connect to the product server and disclose version, build, and patch information vi...
CVE-2021-25242
CVE-2021-25242 affects Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1. Public sources in the provided documents describe an improper access control vulnerability that allows an unauthenticated user to obtain version and build information. ZDI...