CVE-2022-25330
published 2022-02-24CVE-2022-25330: Integer overflow conditions that exist in Trend Micro ServerProtect 6.0/5.8 Information Server could allow a remote attacker to crash the process or achieve…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.87%
91.0th percentile
Integer overflow conditions that exist in Trend Micro ServerProtect 6.0/5.8 Information Server could allow a remote attacker to crash the process or achieve remote code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | trend_micro_serverprotect_for_emc_celerra | — | — |
| trend_micro | trend_micro_serverprotect_for_microsoft_windows_novell_netware | — | — |
| trend_micro | trend_micro_serverprotect_for_network_appliance_filers | — | — |
| trend_micro | trend_micro_serverprotect_for_storage | — | — |
| trendmicro | serverprotect | — | — |
| trendmicro | serverprotect_for_network_appliance_filer | — | — |
| trendmicro | serverprotect_for_storage | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
magic=0x87654321
- →Flag cmd_73730 messages where max_cnt is a large value such as 0x04924925, which triggers the integer overflow resulting in a small heap allocation (18 bytes) and subsequent heap buffer overflow. ↗
- →Detect unauthenticated registration abuse: monitor for CMD_REGISTER (command 2) messages to TCP port 5005 with console type 1 using the static credential string embedded in the packet. ↗
- ·Exploitation of CVE-2022-25330 (integer overflow via command 73730) requires the attacker to first authenticate or exploit CVE-2022-25329 (static credential) to register as a client console on TCP port 5005. ↗
- ·The attacker must supply a reachable Windows host and valid credentials in the cmd_73730 payload; the overflow is triggered when the server queries the attacker-controlled registry and copies a large number of Normal Server names into the undersized heap buffer. ↗
- ·Affected version is Trend Micro ServerProtect for Microsoft Windows/Novell NetWare 5.8 build 1575; the vulnerable binary is EarthAgent.exe version 5.80.0.1575. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2022-02-24
Published