CVE-2019-18187
published 2019-10-28CVE-2019-18187: Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
25.12%
97.7th percentile
Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_officescan | — | — |
| trendmicro | officescan | — | — |
| trendmicro | officescan | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit involves a directory traversal vulnerability used to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, potentially leading to remote code execution ↗
- →The remote code execution process runs under the web service account, which may have restricted permissions depending on the web platform — monitor for unexpected process spawning from web service accounts on OfficeScan servers ↗
- →Attack requires user authentication — monitor for authenticated sessions followed by suspicious file extraction or directory traversal patterns on OfficeScan 11.0 and XG (12.0) ↗
- ·Affected versions are OfficeScan 11.0 and XG (12.0) only — scope detection to these specific versions ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cjq6-9jh6-x2vg: Trend Micro OfficeScan versions 11
ghsa_unreviewed·2022-05-24
CVE-2019-18187 [HIGH] CWE-22 GHSA-cjq6-9jh6-x2vg: Trend Micro OfficeScan versions 11
Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.
VulnCheck
Trend Micro OfficeScan Directory Traversal Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-18187 [HIGH] CWE-22 Trend Micro OfficeScan Directory Traversal Vulnerability
Trend Micro OfficeScan Directory Traversal Vulnerability
Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution.
Affected: Trend Micro OfficeScan
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/; https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
Trend Micro OfficeScan Directory Traversal Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2019-18187 [HIGH] CWE-22 Trend Micro OfficeScan Directory Traversal Vulnerability
Vulnerability: Trend Micro OfficeScan Directory Traversal Vulnerability
Affected: Trend Micro OfficeScan
Trend Micro OfficeScan contains a directory traversal vulnerability by extracting files from a zip file to a specific folder on the OfficeScan server, leading to remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-18187
Remediation Due Date: 2022-05-03
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild
blogs_tenable·2020-03-17·CVSS 8.8
[HIGH] CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
27th January – Threat Intelligence Bulletin
blogs_checkpoint·2020-01-27
CVE-2019-18187 27th January – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th January – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 20th January 2020, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
UN calls for an investigation on Saudi Arabia’s role in amazon CEO Jeff Bezos’s phone hack. The alleged attack was carried via WhatsApp. Bezos was sent a video in 2018 by Saudi Arabia’s crown prince, Mohammed bin Salman, and apparently was infected at that time. Speculations point to NSO as the possible provider of t
2019-10-28
Published
2021-11-03
Added to CISA KEV
Exploited in the wild