cbcvebase.
CVE-2017-14089
published 2017-10-06

CVE-2017-14089: An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated users who can access the OfficeScan…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.78%
94.9th percentile
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated users who can access the OfficeScan server to target cgiShowClientAdm.exe and cause memory corruption issues.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_officescan
trendmicroofficescan
trendmicroofficescan

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://VICTIM-IP:4343/officescan/console/html/cgi/cgiShowClientAdm.exe
path/officescan/console/html/cgi/cgiShowClientAdm.exe
port4343
filenamecgiShowClientAdm.exe
  • Monitor for unauthenticated HTTP/S requests to /officescan/console/html/cgi/cgiShowClientAdm.exe on port 4343, particularly those with oversized LogonUser cookie values (e.g., 256+ repeated characters) indicative of a buffer overflow attempt.
  • Alert on requests to cgiShowClientAdm.exe where the LogonUser cookie field contains an abnormally long string (hundreds of repeated characters), as this is the specific overflow vector used in the PoC.
  • The exploit does NOT require an X-CSRFToken header, so absence of this header in requests to cgiShowClientAdm.exe should not be used to exclude malicious traffic.
  • Exploit sends Content-Type: application/x-www-form-urlencoded with Content-Length: 54; correlate these headers with requests to the vulnerable CGI endpoint for detection.
  • ·The exploit targets OfficeScan versions 11.0 and XG (12.0); ensure detection rules are scoped to environments running these specific versions.
  • ·The vulnerability is pre-authentication (no valid session required), meaning standard authenticated-session anomaly detection will not catch this attack.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.