cbcvebase.
CVE-2017-11391
published 2017-08-03

CVE-2017-11391: Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on…

PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
61.78%
99.1th percentile
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "t" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4744.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_messaging_security_virtual_appliance
trendmicrointerscan_messaging_security_virtual_appliance
trendmicrointerscan_messaging_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

port443
path/mod TMCSS/Proxy.php
othert
pathdiagnostic.log
cookieJSESSIONID
  • Monitor HTTP requests to the modTMCSS Proxy endpoint (Proxy.php) for suspicious or shell-metacharacter-containing values in the 't' parameter, which is the injection point for command execution.
  • Alert on unauthenticated access to diagnostic.log on the IMSVA management interface (TCP/443); attackers retrieve this file to harvest a valid JSESSIONID for the authentication bypass stage.
  • Detect exploitation chain: unauthenticated requests to the IMSVA management interface on TCP/443 that subsequently trigger system calls from the web server user process — indicative of the combined auth-bypass + command-injection exploit.
  • ·The vulnerability is a two-stage exploit: an authentication bypass (JSESSIONID harvested from the exposed diagnostic.log) combined with command injection via the 't' parameter in Proxy.php. Both stages must be chained for full unauthenticated RCE.
  • ·Affected versions are Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 only; scope detection rules accordingly.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.