Cyber Resilience

CVE-2021-36741

HighCISA KEVActive ExploitationEUVD Exploited

Published: 29 July 2021

Published
29 July 2021
Modified
31 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 71.7th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-36741 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Trendmicro Officescan. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-36741 is an improper input validation vulnerability, categorized under CWE-434, that affects Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1. It permits remote attackers to upload arbitrary files to affected installations, with a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability over a network vector.

An attacker who has already obtained valid credentials to log on to the product's management console can exploit the flaw to upload malicious files, potentially leading to code execution or further compromise of the system.

Advisories and solution documents addressing the issue are published by the vendor at https://success.trendmicro.com/jp/solution/000287796, https://success.trendmicro.com/jp/solution/000287815, https://success.trendmicro.com/solution/000287819, https://success.trendmicro.com/solution/000287820, and https://success.trendmicro.com/jp/solution/000287796. No information on observed in-the-wild exploitation is provided in the available references.

EU & UK References

Vulnerability details

An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first…

more

obtain the ability to logon to the product�s management console in order to exploit this vulnerability.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
officescan
xg
trendmicro
officescan business security
10.0
trendmicro
apex one
2019
trendmicro
worry-free business security
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file inputs to block unrestricted/arbitrary uploads that define this CWE-434 flaw.

prevent

Restricts console user privileges so that even authenticated attackers cannot perform dangerous file-upload actions.

preventdetect

Scans or blocks malicious code in uploaded files before execution, mitigating the post-upload impact of the vulnerability.

References