⚠ Actively exploited
Added to CISA KEV on 2022-03-31. Federal agencies required to patch by 2022-04-21. Required action: Apply updates per vendor instructions..

CVE-2022-26871Insufficient Verification of Data Authenticity in Micro Apex Central

CWE-345Insufficient Verification of Data AuthenticityCWE-434Unrestricted File UploadCWE-184Incomplete List of Disallowed Inputs5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
19.4%
top 4.61%
CISA KEV
KEV
Added 2022-03-31
Due 2022-04-21
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Trend Micro Apex CentralTrendmicro Apex Central
Timeline
PublishedMar 29
KEV addedMar 31
KEV dueApr 21
CISA Required Action: Apply updates per vendor instructions.

Description

An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5trend_micro/trend_micro_apex_central2019 (on-premise), SaaS

Patches

Patch: success.trendmicro.comPatch: success.trendmicro.comPatch: success.trendmicro.com

🔴Vulnerability Details

3
GHSA
GHSA-j827-v44f-fw4p: An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which co2022-03-30
CVEList
CVE-2022-26871: An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which co2022-03-29
VulnCheck
Trend Micro Apex Central Arbitrary File Upload Vulnerability2022

📋Vendor Advisories

1
CISA
Trend Micro Apex Central Arbitrary File Upload Vulnerability2022-03-31
CVE-2022-26871 — Trend Micro Apex Central vulnerability | cvebase