CVE-2019-18188 — Command Injection in Micro Apex ONE

CWE-77 — Command Injection CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

7.5HIGHNVD

EPSS

2.7%

top 14.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trend Micro Apex ONE Trendmicro Apex ONE

Timeline

PublishedOct 28

Latest updateMay 24

Description

Trend Micro Apex One could be exploited by an attacker utilizing a command injection vulnerability to extract files from an arbitrary zip file to a specific folder on the Apex One server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to the IUSR account, which has restricted permission and is unable to make major system changes. An attempted attack requires user authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDtrendmicro/apex_one2019

▶CVEListV5trend_micro/trend_micro_apex_oneAll

🔴Vulnerability Details

GHSA

GHSA-38jr-7vx6-v3p4: Trend Micro Apex One could be exploited by an attacker utilizing a command injection vulnerability to extract files from an arbitrary zip file to a sp↗2022-05-24

▶

CVEList

CVE-2019-18188: Trend Micro Apex One could be exploited by an attacker utilizing a command injection vulnerability to extract files from an arbitrary zip file to a sp↗2019-10-28

▶