cbcvebase.
CVE-2020-8604
published 2020-05-27

CVE-2020-8604: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected…

PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
89.66%
99.8th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_web_security_virtual_appliance
trendmicrointerscan_web_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

port8080
otherLogSettingHandler
othermount_device
otherfile
  • Monitor for unauthenticated requests to the proxy service on port 8080 that attempt to reach internal services — this is the SSRF pivot used in the exploit chain.
  • Detect requests targeting the Apache Solr application bundled within the product, particularly those supplying a user-controlled 'file' parameter — indicative of path traversal / information disclosure (CVE-2020-8604).
  • Alert on requests to the LogSettingHandler endpoint containing the 'mount_device' parameter with shell metacharacters — this is the RCE injection point requiring authentication.
  • The full exploit chain results in unauthenticated RCE as root; look for unexpected root-level process spawns originating from the IWSS web service process.
  • ·The RCE via LogSettingHandler (mount_device injection) requires authentication on its own; it is only unauthenticated when chained with the SSRF via port 8080 and the Solr path traversal.
  • ·Only Trend Micro InterScan Web Security Virtual Appliance versions prior to 6.5 SP2 Patch 4 (Build 1901) are affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.