⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2021-11-17. Required action: Apply updates per vendor instructions..

CVE-2021-36741

CWE-434Unrestricted File UploadCWE-22Path TraversalCWE-20Improper Input Validation5 documents5 sources
Severity
8.8HIGH
EPSS
0.7%
top 28.82%
CISA KEV
KEV
Added 2021-11-03
Due 2021-11-17
Exploit
Exploited in wild
Active exploitation observed
Affected products
7
Trend Micro Trend Micro Apex ONETrend Micro Trend Micro OfficescanTrend Micro Trend Micro Worry-free Business Security+4 more
Timeline
PublishedJul 29
KEV addedNov 3
KEV dueNov 17
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first obtain the ability to logon to the product�s management console in order to exploit this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages7 packages

CVEListV5trend_micro/trend_micro_apex_one2019, SaaS

🔴Vulnerability Details

3
GHSA
GHSA-7w3v-7x22-4g8v: An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 102022-05-24
CVEList
CVE-2021-36741: An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 102021-07-29
VulnCheck
Trend Micro Multiple Products Improper Input Validation Vulnerability2021

📋Vendor Advisories

1
CISA
Trend Micro Multiple Products Improper Input Validation Vulnerability2021-11-03
CVE-2021-36741 (HIGH CVSS 8.8) | An improper input validation vulner | cvebase.io