Cyber Resilience

CVE-2021-36742

HighCISA KEVActive ExploitationEUVD Exploited

Published: 29 July 2021

Published
29 July 2021
Modified
31 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0143 81.0th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-36742 is a high-severity Improper Input Validation (CWE-20) vulnerability in Trendmicro Officescan. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 19.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-36742 is an improper input validation vulnerability, tracked under CWE-20, that affects Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1. The flaw permits a local attacker to escalate privileges on affected installations when they already possess the ability to run low-privileged code.

An attacker with an initial low-privileged foothold can exploit the vulnerability to obtain higher privileges, resulting in full control over confidentiality, integrity, and availability of the system as reflected in its CVSS 3.1 base score of 7.8.

Trend Micro has published solution articles addressing the issue for each affected product line; these advisories are available at the vendor's success.trendmicro.com portals and contain the relevant updates and configuration guidance.

EU & UK References

Vulnerability details

A improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG and Worry-Free Business Security 10.0 SP1 allows a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain…

more

the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
officescan
xg
trendmicro
officescan business security
10.0
trendmicro
apex one
2019
trendmicro
worry-free business security
10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input to the affected Trend Micro components, blocking the improper validation flaw that enables local privilege escalation.

prevent

Enforces least-privilege assignments so that an initial low-privileged foothold cannot be leveraged to obtain higher rights via the vulnerability.

prevent

Mandates timely application of vendor patches that remediate the specific input-validation defect in Apex One, OfficeScan, and Worry-Free products.

References