cbcvebase.
CVE-2020-24557
published 2020-09-01

CVE-2020-24557: A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product…

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
2.64%
83.7th percentile
A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.

Affected

4 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_apex_one
trend_microtrend_micro_worry-free_business_security
trendmicroapex_one
trendmicroworry-free_business_security

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker targets a specific Trend Micro product folder to temporarily disable security as part of the privilege escalation chain — monitor for unexpected permission or ACL changes on Trend Micro Apex One / Worry-Free Business Security installation directories
  • Exploitation requires prior low-privileged code execution on the target; correlate with initial-access events (e.g., low-integrity process spawning) followed by privilege escalation activity on hosts running Trend Micro Apex One or Worry-Free Business Security 10.0 SP1
  • Hard-link abuse is the core Windows primitive leveraged for privilege escalation — alert on hard link creation (e.g., via CreateHardLink API or junction points) by low-privileged processes targeting Trend Micro product paths
  • Windows 10 version 1909 (OS Build 18363.719) and later mitigates the hard-link vector; flag exploitation attempts specifically on hosts running earlier Windows 10 builds or older Windows versions
  • ·SaaS (Apex One as a Service) customers were automatically patched in August 2020; only on-premises deployments that have not applied the August 2020 patch remain at risk
  • ·Affected products span Trend Micro Apex One, OfficeScan XG SP1, and Worry-Free Business Security 10.0 SP1 on Windows; scope detection rules accordingly

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.