Trend Micro Control Manager AdHocQuery_CustomProfiles SQL Injection Remote Code Execution Vulnerability

ID ZDI-16-456
Type zdi
Reporter k0rpr1t_z0mb1e
Modified 2016-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Control Manager. Authentication is required to exploit this vulnerability.

The specific flaw exists within AdHocQuery_CustomProfiles.aspx. The issue lies in the failure to sanitize user-supplied input prior to executing a SQL statement. An attacker could leverage this vulnerability to execute code under the context of the database.