cbcvebase.
CVE-2019-18187
published 2019-10-28

CVE-2019-18187: Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
25.12%
97.7th percentile
Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_officescan
trendmicroofficescan
trendmicroofficescan

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit involves a directory traversal vulnerability used to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, potentially leading to remote code execution
  • The remote code execution process runs under the web service account, which may have restricted permissions depending on the web platform — monitor for unexpected process spawning from web service accounts on OfficeScan servers
  • Attack requires user authentication — monitor for authenticated sessions followed by suspicious file extraction or directory traversal patterns on OfficeScan 11.0 and XG (12.0)
  • ·Affected versions are OfficeScan 11.0 and XG (12.0) only — scope detection to these specific versions

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.