cbcvebase.
CVE-2022-25330
published 2022-02-24

CVE-2022-25330: Integer overflow conditions that exist in Trend Micro ServerProtect 6.0/5.8 Information Server could allow a remote attacker to crash the process or achieve…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.87%
91.0th percentile
Integer overflow conditions that exist in Trend Micro ServerProtect 6.0/5.8 Information Server could allow a remote attacker to crash the process or achieve remote code execution.

Affected

7 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_serverprotect_for_emc_celerra
trend_microtrend_micro_serverprotect_for_microsoft_windows_novell_netware
trend_microtrend_micro_serverprotect_for_network_appliance_filers
trend_microtrend_micro_serverprotect_for_storage
trendmicroserverprotect
trendmicroserverprotect_for_network_appliance_filer
trendmicroserverprotect_for_storage

Detection & IOCsextracted from sources · hover to see the quote

port5005/tcp
command73730
processEarthAgent.exe
registryHKLM\SOFTWARE\WOW6432Node\Trend\ServerProtect\CurrentVersion\InformationServer\
bytes
magic=0x87654321
  • Flag cmd_73730 messages where max_cnt is a large value such as 0x04924925, which triggers the integer overflow resulting in a small heap allocation (18 bytes) and subsequent heap buffer overflow.
  • Detect unauthenticated registration abuse: monitor for CMD_REGISTER (command 2) messages to TCP port 5005 with console type 1 using the static credential string embedded in the packet.
  • ·Exploitation of CVE-2022-25330 (integer overflow via command 73730) requires the attacker to first authenticate or exploit CVE-2022-25329 (static credential) to register as a client console on TCP port 5005.
  • ·The attacker must supply a reachable Windows host and valid credentials in the cmd_73730 payload; the overflow is triggered when the server queries the attacker-controlled registry and copies a large number of Normal Server names into the undersized heap buffer.
  • ·Affected version is Trend Micro ServerProtect for Microsoft Windows/Novell NetWare 5.8 build 1575; the vulnerable binary is EarthAgent.exe version 5.80.0.1575.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.