CVE-2023-41179
published 2023-09-19CVE-2023-41179: A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free…
PriorityP180high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-10-12
Exploited in the wild
EPSS
4.74%
90.7th percentile
A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation.
Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro_inc | trend_micro_apex_one | >= 2019 (14.0) < 14.0.0.12380 | 14.0.0.12380 |
| trend_micro_inc | trend_micro_apex_one | >= SaaS < 14.0.12637 | 14.0.12637 |
| trend_micro_inc | trend_micro_worry-free_business_security | >= 10.0 SP1 < 10.0 SP1 Build 2495 | 10.0 SP1 Build 2495 |
| trend_micro_inc | trend_micro_worry-free_business_security_services | >= SaaS < 6.7.3578 / 14.3.1105 | 6.7.3578 / 14.3.1105 |
| trendmicro | apex_one | — | — |
| trendmicro | worry-free_business_security | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires prior administrative console access; monitor for unauthorized or anomalous logins to the Trend Micro Apex One / Worry-Free Business Security management console, especially from external or untrusted networks. ↗
- →The attack vector is the third-party AV uninstaller module; monitor for unexpected process execution or child processes spawned from the uninstaller module component within Apex One or WFBS. ↗
- →Alert on arbitrary code execution running with SYSTEM privileges on endpoints where the Apex One security agent is installed, as exploitation results in system-level code execution on the agent host. ↗
- →Trend Micro confirmed at least one active in-the-wild exploitation attempt; treat any unpatched Apex One 2019 or WFBS 10.0 SP1 instance with internet-exposed management consoles as high-priority for investigation. ↗
- ·Exploitation requires the attacker to have already obtained valid administrative console credentials; the vulnerability is not exploitable without prior console access, limiting remote unauthenticated attack surface. ↗
- ·Restricting management console access to trusted/internal networks is an effective workaround to reduce exposure, but does not fully remediate the vulnerability — patching is required. ↗
- ·Patched versions are: Apex One 2019 SP1 Patch 1 (Build 12380), Apex One SaaS 14.0.12637, WFBS Patch 2495, and WFBSS July 31 update. Unpatched instances remain at risk of lateral movement by threat actors already inside the network. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vq2c-8m6j-g4vh: A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Fr
ghsa_unreviewed·2023-09-19
CVE-2023-41179 [HIGH] CWE-94 GHSA-vq2c-8m6j-g4vh: A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Fr
A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation.
Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.
VulnCheck
Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
vulncheck·2023·CVSS 7.2
CVE-2023-41179 [HIGH] Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
Trend Micro Apex One and Worry-Free Business Security contain an unspecified vulnerability in the third-party anti-virus uninstaller that could allow an attacker to manipulate the module to conduct remote code execution. An attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.
Affected: Trend Micro Apex One and Worry-Free Business Security
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://success.trendmicro.com/dcx/s/solution/000294994?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities
CISA
Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
cisa·2023-09-21·CVSS 7.2
CVE-2023-41179 [HIGH] Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
Vulnerability: Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability
Affected: Trend Micro Apex One and Worry-Free Business Security
Trend Micro Apex One and Worry-Free Business Security contain an unspecified vulnerability in the third-party anti-virus uninstaller that could allow an attacker to manipulate the module to conduct remote code execution. An attacker must first obtain administrative console access on the target system in order to exploit this vulnerability.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://success.trendmicro.com/dcx/s/solution/000294994?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2023-41179
Remediation Due Date: 2023-10-12
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Trend Micro warns of Apex One zero-day exploited in the wild
blogs_bleepingcomputer·2026-05-22·CVSS 6.7
CVE-2026-34926 [MEDIUM] Trend Micro warns of Apex One zero-day exploited in the wild
## Trend Micro warns of Apex One zero-day exploited in the wild
## Sergiu Gatlan
Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems.
Apex One is Trend Micro's enterprise-grade endpoint security platform that protects corporate networks from a wide range of security threats, including malware, ransomware, fileless attacks, and web-based threats.
Tracked as CVE-2026-34926 , this directory traversal vulnerability in the Apex One (on-premises) server allows local attackers with admin privileges to inject malicious code.
"A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious
Bleepingcomputer
Trend Micro warns of critical Apex One code execution flaws
blogs_bleepingcomputer·2026-02-26·CVSS 9.4
CVE-2025-7121 [CRITICAL] Trend Micro warns of critical Apex One code execution flaws
## Trend Micro warns of critical Apex One code execution flaws
## Sergiu Gatlan
Japanese cybersecurity software firm Trend Micro has patched two critical Apex One vulnerabilities that allow attackers to gain remote code execution (RCE) on vulnerable Windows systems.
Apex One is an endpoint security platform that detects and responds to security threats, including malware, spyware, malicious tools, and vulnerabilities.
The first critical Apex One security flaw patched this week (CVE-2025-71210) is due to a path traversal weakness in the Trend Micro Apex One management console, allowing attackers without privileges to execute malicious code on unpatched systems.
The second, tracked as CVE-2025-71211, is another Apex One management console path traversal vulnerability, similar in scope t
Bleepingcomputer
Trend Micro warns of Apex One zero-day exploited in attacks
blogs_bleepingcomputer·2025-08-06·CVSS 9.4
CVE-2025-54948 [CRITICAL] Trend Micro warns of Apex One zero-day exploited in attacks
## Trend Micro warns of Apex One zero-day exploited in attacks
## Sergiu Gatlan
Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
Trend Micro has yet to issue security updates to patch this actively
Bleepingcomputer
Trend Micro fixes endpoint protection zero-day used in attacks
blogs_bleepingcomputer·2023-09-19·CVSS 7.2
CVE-2023-41179 [HIGH] Trend Micro fixes endpoint protection zero-day used in attacks
## Trend Micro fixes endpoint protection zero-day used in attacks
## Bill Toulas
Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks.
Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.
The arbitrary code execution flaw is tracked as CVE-2023-41179 and has received a severity rating of 9.1 according to CVSS v3, categorizing it as "critical."
The flaw exists in a third-party uninstaller module supplied with the security software.
"Trend Micro has observed at least one active attempt of potential attacks against this vulnerability in the wild," reads the sec
https://jvn.jp/en/vu/JVNVU90967486/https://success.trendmicro.com/jp/solution/000294706https://success.trendmicro.com/solution/000294994https://jvn.jp/en/vu/JVNVU90967486/https://success.trendmicro.com/jp/solution/000294706https://success.trendmicro.com/solution/000294994https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41179
2023-09-19
Published
2023-09-21
Added to CISA KEV
Exploited in the wild