⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2020-8468Injection in Apex ONE

CWE-74InjectionCWE-494Download of Code Without Integrity Check6 documents6 sources
Severity
8.8HIGHNVD
EPSS
18.4%
top 4.76%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Trendmicro Apex ONETrendmicro OfficescanTrendmicro Worry-free Business Security
Timeline
PublishedMar 18
KEV addedNov 3
KEV dueMay 3
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (9.0, 9.5, 10.0) agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Patches

Patch: success.trendmicro.comPatch: success.trendmicro.comPatch: success.trendmicro.com

🔴Vulnerability Details

3
GHSA
GHSA-963g-gc86-62cp: Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (92022-05-24
CVEList
CVE-2020-8468: Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Business Security (92020-03-18
VulnCheck
Trend Micro Multiple Products Content Validation Escape Vulnerability2020

📋Vendor Advisories

1
CISA
Trend Micro Multiple Products Content Validation Escape Vulnerability2021-11-03
CVE-2020-8468 — Injection in Trendmicro Apex ONE | cvebase