CVE-2022-25329

CWE-798 — Hard-coded Credentials3 documents3 sources

Severity

9.8CRITICAL

EPSS

2.6%

top 14.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Trend Micro Trend Micro Serverprotect FOR EMC Celerra Trend Micro Trend Micro Serverprotect FOR Microsoft Windows / Novell Netware Trend Micro Trend Micro Serverprotect FOR Network Appliance Filers +4 more

Timeline

PublishedFeb 24

Latest updateFeb 25

Description

Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console. An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶NVDtrendmicro/serverprotect5.8, 6.0+1

▶CVEListV5trend_micro/trend_micro_serverprotect_for_storage6.0

▶CVEListV5trend_micro/trend_micro_serverprotect_for_emc_celerra5.8

▶CVEListV5trend_micro/trend_micro_serverprotect_for_network_appliance_filers5.8

▶CVEListV5trend_micro/trend_micro_serverprotect_for_microsoft_windows_/_novell_netware5.8

Patches

Patch: success.trendmicro.com ↗Patch: success.trendmicro.com ↗

🔴Vulnerability Details

GHSA

GHSA-4m4r-x763-43q2: Trend Micro ServerProtect 6↗2022-02-25

▶

CVEList

CVE-2022-25329: Trend Micro ServerProtect 6↗2022-02-24

▶