Cyber Resilience

CVE-2023-0587

Critical

Published: 01 February 2023

Published
01 February 2023
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1447 94.6th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0587 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A file upload vulnerability exists in Trend Micro Apex One server build 11110. An unauthenticated remote attacker can send an HTTP PUT request containing a malformed Content-Length header to the URL /officescan/console/html/cgi/fcgiOfcDDA.exe, which allows arbitrary files to be written into the SampleSubmission directory (\PCCSRV\TEMP\SampleSubmission) on the server. The flaw is tracked as CWE-434 and carries a CVSS 3.1 score of 9.1.

An attacker requires no credentials and can exploit the issue over the network to upload large numbers of oversized files, exhausting disk space on the volume hosting the Apex One installation and thereby causing denial of service. The same mechanism could also be used to place attacker-controlled content on the server, although the provided description emphasizes resource exhaustion as the primary impact.

The EPSS score for this CVE rose from a low baseline after disclosure to a peak of 0.3184 on 2025-12-11 before receding to the current value of 0.1447, indicating that exploitation interest increased measurably in the period following public release. The only referenced advisory is Tenable research note TRA-2023-5.

EU & UK References

Vulnerability details

A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory…

more

(i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
apex one
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References