CVE-2022-26871
Published: 29 March 2022
Summary
CVE-2022-26871 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Trendmicro Apex Central. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-26871 is an arbitrary file upload vulnerability affecting Trend Micro Apex Central. The flaw, assigned CWE-345, permits an unauthenticated remote attacker to upload arbitrary files to the server, which can subsequently lead to remote code execution on the affected system. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction.
An unauthenticated attacker with network access can exploit the weakness by sending a crafted upload request that bypasses intended validation checks. Successful exploitation grants the ability to place and execute malicious files on the Apex Central server, resulting in full compromise of confidentiality, integrity, and availability.
Vendor advisories from Trend Micro and coordinated notices from JPCERT and JVN direct administrators to apply the patches referenced in solution articles 000290660 and 000290678, along with the March 2022 security bulletin. These updates address the upload handling logic and are required to eliminate the exposure.
The EPSS score for this CVE rose materially from lower values after disclosure to a peak of 0.6937 on 2024-12-17 before receding to the current 0.2130, indicating that exploitation interest increased well after the initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31420
Vulnerability details
An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.
- CWE(s)
- KEV Date Added
- 31 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including uploaded files) to reject malformed or unauthorized content before it can be processed or executed.
Enforces authentication and authorization checks on all requests, blocking the unauthenticated file-upload path exploited by the CVE.
Requires malicious-code scanning of received files, which can identify and block the weaponized uploads that lead to RCE.