cbcvebase.
CVE-2023-41179
published 2023-09-19

CVE-2023-41179: A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free…

PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-12
Exploited in the wild
EPSS
4.74%
90.7th percentile
A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation. Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
trend_micro_inctrend_micro_apex_one>= 2019 (14.0) < 14.0.0.1238014.0.0.12380
trend_micro_inctrend_micro_apex_one>= SaaS < 14.0.1263714.0.12637
trend_micro_inctrend_micro_worry-free_business_security>= 10.0 SP1 < 10.0 SP1 Build 249510.0 SP1 Build 2495
trend_micro_inctrend_micro_worry-free_business_security_services>= SaaS < 6.7.3578 / 14.3.11056.7.3578 / 14.3.1105
trendmicroapex_one
trendmicroworry-free_business_security

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires prior administrative console access; monitor for unauthorized or anomalous logins to the Trend Micro Apex One / Worry-Free Business Security management console, especially from external or untrusted networks.
  • The attack vector is the third-party AV uninstaller module; monitor for unexpected process execution or child processes spawned from the uninstaller module component within Apex One or WFBS.
  • Alert on arbitrary code execution running with SYSTEM privileges on endpoints where the Apex One security agent is installed, as exploitation results in system-level code execution on the agent host.
  • Trend Micro confirmed at least one active in-the-wild exploitation attempt; treat any unpatched Apex One 2019 or WFBS 10.0 SP1 instance with internet-exposed management consoles as high-priority for investigation.
  • ·Exploitation requires the attacker to have already obtained valid administrative console credentials; the vulnerability is not exploitable without prior console access, limiting remote unauthenticated attack surface.
  • ·Restricting management console access to trusted/internal networks is an effective workaround to reduce exposure, but does not fully remediate the vulnerability — patching is required.
  • ·Patched versions are: Apex One 2019 SP1 Patch 1 (Build 12380), Apex One SaaS 14.0.12637, WFBS Patch 2495, and WFBSS July 31 update. Unpatched instances remain at risk of lateral movement by threat actors already inside the network.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.