Cyber Resilience

CVE-2022-40139

HighCISA KEVActive ExploitationEUVD Exploited

Published: 19 September 2022

Published
19 September 2022
Modified
31 October 2025
KEV Added
15 September 2022
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0891 92.8th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40139 is a high-severity an unspecified weakness vulnerability in Trendmicro Apex One. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 7.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2022-40139 affects the rollback mechanism in Trend Micro Apex One and Apex One as a Service clients. The flaw stems from improper validation of components used during rollback operations, enabling an authenticated server administrator to direct clients to retrieve and apply an unverified package.

An attacker who first obtains administrative access to the Apex One management console can exploit the issue to trigger remote code execution on connected client systems. The vulnerability carries a CVSS 3.1 score of 7.2, reflecting the high impact once the prerequisite console access is achieved.

Vendor guidance published at success.trendmicro.com/solution/000291528 addresses the issue, and the CVE appears in the CISA Known Exploited Vulnerabilities catalog, indicating that mitigations or updates have been made available to affected customers.

EPSS scores for the vulnerability reached a peak of 0.1344 before receding to the current value of 0.0891.

EU & UK References

Vulnerability details

Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback…

more

package, which could lead to remote code execution. Please note: an attacker must first obtain Apex One server administration console access in order to exploit this vulnerability.

CWE(s)
KEV Date Added
15 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
apex one
2019, all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic or integrity verification of software/firmware packages before they are processed, blocking the unverified rollback package that enables RCE.

prevent

Mandates cryptographic signing and verification of software components prior to installation or execution, directly mitigating the missing validation of rollback packages.

prevent

Enforces least privilege on the Apex One server console so that only authorized administrators can initiate rollback operations, reducing the attack surface for this high-privilege RCE vector.

References