Cyber Resilience

CVE-2022-26871

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 29 March 2022

Published
29 March 2022
Modified
22 December 2025
KEV Added
31 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2130 95.8th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26871 is a critical-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Trendmicro Apex Central. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-26871 is an arbitrary file upload vulnerability affecting Trend Micro Apex Central. The flaw, assigned CWE-345, permits an unauthenticated remote attacker to upload arbitrary files to the server, which can subsequently lead to remote code execution on the affected system. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction.

An unauthenticated attacker with network access can exploit the weakness by sending a crafted upload request that bypasses intended validation checks. Successful exploitation grants the ability to place and execute malicious files on the Apex Central server, resulting in full compromise of confidentiality, integrity, and availability.

Vendor advisories from Trend Micro and coordinated notices from JPCERT and JVN direct administrators to apply the patches referenced in solution articles 000290660 and 000290678, along with the March 2022 security bulletin. These updates address the upload handling logic and are required to eliminate the exposure.

The EPSS score for this CVE rose materially from lower values after disclosure to a peak of 0.6937 on 2024-12-17 before receding to the current 0.2130, indicating that exploitation interest increased well after the initial publication.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.

CWE(s)
KEV Date Added
31 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
apex central
2019
trendmicro
apex one
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including uploaded files) to reject malformed or unauthorized content before it can be processed or executed.

prevent

Enforces authentication and authorization checks on all requests, blocking the unauthenticated file-upload path exploited by the CVE.

preventdetect

Requires malicious-code scanning of received files, which can identify and block the weaponized uploads that lead to RCE.

References