⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2019-18187Path Traversal in Micro Officescan

CWE-22Path Traversal5 documents5 sources
Severity
7.5HIGHNVD
EPSS
79.2%
top 0.93%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Trend Micro OfficescanTrendmicro Officescan
Timeline
PublishedOct 28
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDtrendmicro/officescan11.0, xg+1
CVEListV5trend_micro/trend_micro_officescanVersion 11.0, XG (12.0)

🔴Vulnerability Details

3
GHSA
GHSA-cjq6-9jh6-x2vg: Trend Micro OfficeScan versions 112022-05-24
CVEList
CVE-2019-18187: Trend Micro OfficeScan versions 112019-10-28
VulnCheck
Trend Micro OfficeScan Directory Traversal Vulnerability2019

📋Vendor Advisories

1
CISA
Trend Micro OfficeScan Directory Traversal Vulnerability2021-11-03
CVE-2019-18187 — Path Traversal in Trend | cvebase