cbcvebase.
CVE-2017-11392
published 2017-08-03

CVE-2017-11392: Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on…

PriorityP275high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
33.76%
98.2th percentile
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the "T" parameter within modTMCSS Proxy. Formerly ZDI-CAN-4745.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_messaging_security_virtual_appliance
trendmicrointerscan_messaging_security_virtual_appliance
trendmicrointerscan_messaging_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

port443
path/mod TMCSS/Proxy.php
filenamediagnostic.log
cookieJSESSIONID
  • Monitor HTTP requests to the modTMCSS Proxy endpoint for suspicious or shell-metacharacter-containing values in the 'T' parameter, which is the injection point for command execution.
  • Alert on unauthenticated access to diagnostic.log on the IMSVA management interface (TCP/443), as attackers use it to harvest a valid JSESSIONID for session hijacking prior to exploitation.
  • Detect exploitation chain: unauthenticated requests to Proxy.php under the modTMCSS folder on port 443 that contain command-injection payloads, executed under the web server user context.
  • ·The vulnerability requires chaining an authentication bypass (JSESSIONID theft via exposed diagnostic.log) with the command injection in Proxy.php; both conditions must be present for full unauthenticated RCE.
  • ·Affected versions are Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 only; verify version before applying detections.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.