cbcvebase.
CVE-2020-8606
published 2020-05-27

CVE-2020-8606: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.74%
99.4th percentile
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_interscan_web_security_virtual_appliance
trendmicrointerscan_web_security_virtual_appliance

Detection & IOCsextracted from sources · hover to see the quote

port8080
otherLogSettingHandler
othermount_device
  • Monitor for unauthenticated requests to the proxy service on port 8080 that attempt to reach internal services — this is the SSRF/auth-bypass vector (CVE-2020-8606).
  • Alert on requests targeting the LogSettingHandler class with a mount_device parameter containing shell metacharacters or command injection payloads.
  • Monitor Apache Solr requests (internal to the appliance) for path traversal patterns in the 'file' parameter, which can be used to disclose files as the IWSS user.
  • Chain detection: look for sequences of unauthenticated port-8080 proxy abuse followed by Solr file-read requests and then LogSettingHandler command injection — this three-stage chain achieves unauthenticated RCE as root.
  • ·Only Trend Micro InterScan Web Security Virtual Appliance versions prior to 6.5 SP2 Patch 4 (Build 1901) are vulnerable; patch to that build or later to remediate.
  • ·The proxy service port (8080) is the default but may be reconfigured; verify the actual listening port in your deployment before writing port-based detection rules.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.