Trend Micro flaw actively exploited in the wild

Cybersecurity firm Trend Micro revealed that a threat actor is actively exploiting a flaw, tracked as CVE-2020-24557, in its antivirus solutions to gain admin rights on Windows systems.

Security solutions one again are used as attack vectors by threat actors, this time cybersecurity company Trend Micro revealed that attackers are actively exploiting a vulnerability, tracked as CVE-2020-24557, in its antivirus solutions to gain admin rights on Windows systems.

The CVE-2020-24557 vulnerability affects the Apex One and OfficeScan XG enterprise security products. The issue resides in the logic that controls access to the Misc folder, it could be exploited by an attacker to escalate privileges and execute code in the context of SYSTEM.

Experts pointed out that the flaw could be exploited by an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and achieve privilege escalation.

“A vulnerability in Trend Micro Apex One on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation.” reads the advisory published by Tenable. “An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.”

The flaw was reported to Trend Micro in 2020 by Microsoft researcher Christopher Vella through the Zero-Day Initiative program, and the security firm addressed it in August 2020.

Now the security firm provided an update to its security advisory confirming that the flaw is actively exploited attackers in the wild and urge customers to apply security updates.

“Known vulnerabilities in Apex One, Apex One SaaS and OfficeScan agents could elevate privileges, allow an attacker to manipulate certain product folders to temporarily disable security features, or to temporarily disable certain Windows features. It may be abused.” reads the update published by the

“We have confirmed attacks that exploit known vulnerabilities in the following products.” adds the company. “Each patch that has already been released supports it, so if you have not applied it, please apply it as soon as possible.”

At the time of this writing, Trend Micro did not share details about the attack either the nature of the threat actors that exploited the.

JPCert also published an alert about the above vulnerability, products and versions affected by the issues are:

– Trend Micro Apex One 2019 prior to Build 8422
– Trend Micro Apex One as a Service prior to Build 202008
– OfficeScan prior to XG SP1 Build 5702

“Since the vulnerability is already being exploited in the wild, the users of the affected products are recommended to update the affected system to the latest version as soon as possible. Please refer to the information provided by Trend Micro.” reads the advisory published by JPCert.

In the past, other vulnerabilities in the Apex One and OfficeScan XG security products were disclosed, including CVE-2019-18187, CVE-2020-8467, and CVE-2020-8468, and some of them were exploited by nation-state actors in attacks in the wild.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Trend Micro)

[adrotate banner=”5″]

[adrotate banner=”13″]