CVE-2020-24557
published 2020-09-01CVE-2020-24557: A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
2.64%
83.7th percentile
A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_apex_one | — | — |
| trend_micro | trend_micro_worry-free_business_security | — | — |
| trendmicro | apex_one | — | — |
| trendmicro | worry-free_business_security | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker targets a specific Trend Micro product folder to temporarily disable security as part of the privilege escalation chain — monitor for unexpected permission or ACL changes on Trend Micro Apex One / Worry-Free Business Security installation directories ↗
- →Exploitation requires prior low-privileged code execution on the target; correlate with initial-access events (e.g., low-integrity process spawning) followed by privilege escalation activity on hosts running Trend Micro Apex One or Worry-Free Business Security 10.0 SP1 ↗
- →Hard-link abuse is the core Windows primitive leveraged for privilege escalation — alert on hard link creation (e.g., via CreateHardLink API or junction points) by low-privileged processes targeting Trend Micro product paths ↗
- →Windows 10 version 1909 (OS Build 18363.719) and later mitigates the hard-link vector; flag exploitation attempts specifically on hosts running earlier Windows 10 builds or older Windows versions ↗
- ·SaaS (Apex One as a Service) customers were automatically patched in August 2020; only on-premises deployments that have not applied the August 2020 patch remain at risk ↗
- ·Affected products span Trend Micro Apex One, OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 on Windows; scope detection rules accordingly ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rf37-cmcm-645m: A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security t
ghsa_unreviewed·2022-05-24
CVE-2020-24557 [HIGH] CWE-269 GHSA-rf37-cmcm-645m: A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security t
A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.
VulnCheck
Trend Micro Multiple Products Improper Access Control Vulnerability
vulncheck·2020·CVSS 7.8
CVE-2020-24557 [HIGH] Trend Micro Multiple Products Improper Access Control Vulnerability
Trend Micro Multiple Products Improper Access Control Vulnerability
Trend Micro Apex One, OfficeScan, and Worry-Free Business Security on Microsoft Windows contain an improper access control vulnerability that may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function, and attain privilege escalation.
Affected: Trend Micro Apex One, OfficeScan and Worry-Free Business Security Agents
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.jpcert.or.jp/english/at/2021/at210020.html; https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediatio
CISA
Trend Micro Multiple Products Improper Access Control Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2020-24557 [HIGH] Trend Micro Multiple Products Improper Access Control Vulnerability
Vulnerability: Trend Micro Multiple Products Improper Access Control Vulnerability
Affected: Trend Micro Apex One, OfficeScan, and Worry-Free Business Security
Trend Micro Apex One, OfficeScan, and Worry-Free Business Security on Microsoft Windows contain an improper access control vulnerability that may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function, and attain privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-24557
Remediation Due Date: 2022-05-03
No detection rules found.
No public exploits indexed.
Tenable
CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild
blogs_tenable·2022-09-14·CVSS 7.2
[HIGH] CVE-2022-40139: Vulnerability in Trend Micro Apex One Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Trendmicro
Trend Micro Encourages Patching Of Old Vulnerability
blogs_trendmicro·2021-04-22·CVSS 7.8
[HIGH] Trend Micro Encourages Patching Of Old Vulnerability
Exploits & Vulnerabilities
# Trend Micro Encourages Patching Of Old Vulnerability
Trend Micro released several patches last year to address known vulnerabilities. Since that time, an attempt was observed to leverage one of these vulnerabilities in a single unpatched customer system.
By: Trend Micro
2021/04/22
Read time: ( words)
Save to Folio
Summary:
Trend Micro released several patches last year to address known vulnerabilities. Since that time, an attempt was observed to leverage one of these vulnerabilities in a single unpatched customer system.
This is not a zero-day exploit since the attempt occurred long after the patch was released, and although the commonly used phrase “in the wild” can suggest a widespread issue, it has not been observed beyond the single affected custome
https://success.trendmicro.com/solution/000263632https://success.trendmicro.com/solution/000267260https://www.zerodayinitiative.com/advisories/ZDI-20-1094/https://success.trendmicro.com/solution/000263632https://success.trendmicro.com/solution/000267260https://www.zerodayinitiative.com/advisories/ZDI-20-1094/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-24557
2020-09-01
Published
2021-11-03
Added to CISA KEV
Exploited in the wild