CVE-2017-11391
published 2017-08-03CVE-2017-11391: Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on…
PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
61.78%
99.1th percentile
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "t" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4744.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_messaging_security_virtual_appliance | — | — |
| trendmicro | interscan_messaging_security_virtual_appliance | — | — |
| trendmicro | interscan_messaging_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the modTMCSS Proxy endpoint (Proxy.php) for suspicious or shell-metacharacter-containing values in the 't' parameter, which is the injection point for command execution. ↗
- →Alert on unauthenticated access to diagnostic.log on the IMSVA management interface (TCP/443); attackers retrieve this file to harvest a valid JSESSIONID for the authentication bypass stage. ↗
- →Detect exploitation chain: unauthenticated requests to the IMSVA management interface on TCP/443 that subsequently trigger system calls from the web server user process — indicative of the combined auth-bypass + command-injection exploit. ↗
- ·The vulnerability is a two-stage exploit: an authentication bypass (JSESSIONID harvested from the exposed diagnostic.log) combined with command injection via the 't' parameter in Proxy.php. Both stages must be chained for full unauthenticated RCE. ↗
- ·Affected versions are Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 only; scope detection rules accordingly. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-08-03
Published