CVE-2019-14688 — Uncontrolled Search Path Element in Control Manager

CWE-427 — Uncontrolled Search Path Element4 documents4 sources

Severity

7.0HIGHNVD

EPSS

0.5%

top 34.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trendmicro Control Manager Trendmicro Endpoint Sensor Trendmicro IM Security +5 more

Timeline

PublishedFeb 20

Latest updateMay 24

Description

Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial product installation by an authorized user. The attacker must convince the target to download malicious DLL locally which must be present when the installer is run.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages8 packages

▶NVDtrendmicro/scanmail14.0

▶NVDtrendmicro/security2019

▶NVDtrendmicro/officescanxg

▶NVDtrendmicro/im_security1.6.5

▶NVDtrendmicro/serverprotect5.8, 6.0+1

🔴Vulnerability Details

GHSA

GHSA-g7xx-c9x7-78fj: Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijac↗2022-05-24

▶

CVEList

CVE-2019-14688: Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijac↗2020-02-20

▶