cbcvebase.
CVE-2022-40139
published 2022-09-19

CVE-2022-40139: Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex…

PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-10-06
Exploited in the wild
EPSS
3.05%
85.9th percentile
Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution. Please note: an attacker must first obtain Apex One server administration console access in order to exploit this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
trend_microtrend_micro_apex_one
trendmicroapex_one

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-40139 was exploited in the wild (zero-day) in September 2022; any Apex One server-initiated rollback package download to clients should be treated as suspicious if the package cannot be verified.
  • The attack vector requires an authenticated Apex One server administration console session; monitor for anomalous admin console logins or unexpected rollback operations initiated from the server to clients.
  • The exploitation mechanism involves the server instructing clients to download an unverified rollback package; alert on Apex One client processes initiating unexpected rollback/update downloads, especially to unverified or unsigned packages.
  • ·Exploitation requires prior compromise of the Apex One server administration console; the vulnerability is not directly remotely exploitable without that initial access.
  • ·Vendor patch guidance and advisory details are available at the Trend Micro support portal; apply updates per vendor instructions as mandated by CISA with a remediation due date of 2022-10-06.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.