CVE-2020-24557
Published: 01 September 2020
Summary
CVE-2020-24557 is a high-severity an unspecified weakness vulnerability in Trendmicro Apex One. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 16.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability CVE-2020-24557 exists in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 running on Microsoft Windows. It stems from the ability to manipulate a specific product folder, which can temporarily disable security protections and allow abuse of a Windows function to escalate privileges. The flaw carries a CVSS 3.1 score of 7.8 and is tracked under NVD-CWE-Other.
An attacker who has already obtained low-privileged code execution on the target system can exploit the issue to achieve higher privileges. The attack is local and does not require user interaction, though Windows 10 version 1909 (OS Build 18363.719) and later include hard-link mitigations that limit exposure on newer builds.
Trend Micro advisories and the corresponding Zero Day Initiative report (ZDI-20-1094) direct administrators to the vendor solutions at the listed URLs for remediation steps and updated builds that close the folder manipulation vector.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-17276
Vulnerability details
A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation.…
more
An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access restrictions on the Trend Micro product folder so that low-privileged code cannot manipulate it to disable protections.
Requires least-privilege permissions on security-product directories, directly blocking the folder manipulation needed for escalation.
Restricts unauthorized changes to critical installed components, limiting the attacker's ability to abuse the product folder.