CVE-2021-36741
Published: 29 July 2021
Summary
CVE-2021-36741 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Trendmicro Officescan. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-36741 is an improper input validation vulnerability, categorized under CWE-434, that affects Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1. It permits remote attackers to upload arbitrary files to affected installations, with a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability over a network vector.
An attacker who has already obtained valid credentials to log on to the product's management console can exploit the flaw to upload malicious files, potentially leading to code execution or further compromise of the system.
Advisories and solution documents addressing the issue are published by the vendor at https://success.trendmicro.com/jp/solution/000287796, https://success.trendmicro.com/jp/solution/000287815, https://success.trendmicro.com/solution/000287819, https://success.trendmicro.com/solution/000287820, and https://success.trendmicro.com/jp/solution/000287796. No information on observed in-the-wild exploitation is provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-23331
Vulnerability details
An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first…
more
obtain the ability to logon to the product�s management console in order to exploit this vulnerability.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of file inputs to block unrestricted/arbitrary uploads that define this CWE-434 flaw.
Restricts console user privileges so that even authenticated attackers cannot perform dangerous file-upload actions.
Scans or blocks malicious code in uploaded files before execution, mitigating the post-upload impact of the vulnerability.