CVE-2020-28580
published 2020-11-18CVE-2020-28580: A command injection vulnerability in AddVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker…
PriorityP259high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
44.55%
98.6th percentile
A command injection vulnerability in AddVLANItem of Trend Micro InterScan Web Security Virtual Appliance 6.5 SP2 could allow an authenticated, remote attacker to send specially crafted HTTP messages and execute arbitrary OS commands with elevated privileges.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_interscan_web_security_virtual_appliance | — | — |
| trendmicro | interscan_web_security_virtual_appliance | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to /servlet/com.trend.iwss.gui.servlet.ManageVLANSettings on port 8443 containing shell metacharacters (e.g., semicolons, pipes, backticks) in VLAN-related parameters, indicative of command injection via AddVLANItem. ↗
- →The vulnerable code passes attacker-controlled input directly into a snprintf format string '%s addVLANItem %s' before calling system(); alert on unexpected child processes spawned by ui_ctl.sh or the iscan account. ↗
- →The exploit requires a high-privileged authenticated session; monitor for logins to /uilogonsubmit.jsp followed immediately by requests to the ManageVLANSettings servlet as a lateral-movement or privilege-abuse pattern. ↗
- →Execution of OS commands occurs with elevated privileges under the iscan account; alert on unexpected processes or file writes owned by iscan on IWSVA appliances. ↗
- ·Exploitation requires authentication with a high-privileged account; the attack surface is reduced if administrative access to the IWSVA management interface (port 8443) is restricted to trusted networks. ↗
- ·The vulnerable function Java_com_trend_iwss_gui_IWSSJNI_AddVLANItem resides in libuiauutil.so; detections targeting this library are specific to Trend Micro IWSVA 6.5 SP2 build 1901 and may not apply to other versions. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2020-11-18
Published