Cyber Resilience

CVE-2019-18187

HighCISA KEVActive ExploitationEUVD Exploited

Published: 28 October 2019

Published
28 October 2019
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8064 99.2th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-18187 is a high-severity Path Traversal (CWE-22) vulnerability in Trendmicro Officescan. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Trend Micro OfficeScan versions 11.0 and XG (12.0) contain a directory traversal vulnerability tracked as CVE-2019-18187 and CWE-22. An attacker can supply an arbitrary zip file whose contents are extracted to a designated folder on the OfficeScan server, an action that may be leveraged for remote code execution. Execution occurs under the privileges of the web-service account, which may be limited depending on the underlying web platform, and the attack requires prior user authentication.

Because the flaw permits an authenticated remote attacker to place files on the server, successful exploitation can result in code execution that affects confidentiality while leaving integrity and availability untouched, consistent with the reported CVSS 7.5 vector.

Trend Micro advisory 000151730 describes the issue and supplies remediation guidance; the vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog, indicating confirmed in-the-wild exploitation.

EU & UK References

Vulnerability details

Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to…

more

remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
officescan
11.0, xg

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file paths and zip-extraction inputs to block the directory traversal (CWE-22) that allows arbitrary file writes.

prevent

Requires timely application of the vendor patch that eliminates the flawed zip-extraction logic in OfficeScan.

prevent

Limits privileges of the web-service account under which extracted code would execute, reducing the impact of successful RCE.

References