CVE-2022-40139
Published: 19 September 2022
Summary
CVE-2022-40139 is a high-severity an unspecified weakness vulnerability in Trendmicro Apex One. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 7.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2022-40139 affects the rollback mechanism in Trend Micro Apex One and Apex One as a Service clients. The flaw stems from improper validation of components used during rollback operations, enabling an authenticated server administrator to direct clients to retrieve and apply an unverified package.
An attacker who first obtains administrative access to the Apex One management console can exploit the issue to trigger remote code execution on connected client systems. The vulnerability carries a CVSS 3.1 score of 7.2, reflecting the high impact once the prerequisite console access is achieved.
Vendor guidance published at success.trendmicro.com/solution/000291528 addresses the issue, and the CVE appears in the CISA Known Exploited Vulnerabilities catalog, indicating that mitigations or updates have been made available to affected customers.
EPSS scores for the vulnerability reached a peak of 0.1344 before receding to the current value of 0.0891.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43457
Vulnerability details
Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback…
more
package, which could lead to remote code execution. Please note: an attacker must first obtain Apex One server administration console access in order to exploit this vulnerability.
- CWE(s)
- KEV Date Added
- 15 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic or integrity verification of software/firmware packages before they are processed, blocking the unverified rollback package that enables RCE.
Mandates cryptographic signing and verification of software components prior to installation or execution, directly mitigating the missing validation of rollback packages.
Enforces least privilege on the Apex One server console so that only authorized administrators can initiate rollback operations, reducing the attack surface for this high-privilege RCE vector.