CVE-2023-0587
Published: 01 February 2023
Summary
CVE-2023-0587 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A file upload vulnerability exists in Trend Micro Apex One server build 11110. An unauthenticated remote attacker can send an HTTP PUT request containing a malformed Content-Length header to the URL /officescan/console/html/cgi/fcgiOfcDDA.exe, which allows arbitrary files to be written into the SampleSubmission directory (\PCCSRV\TEMP\SampleSubmission) on the server. The flaw is tracked as CWE-434 and carries a CVSS 3.1 score of 9.1.
An attacker requires no credentials and can exploit the issue over the network to upload large numbers of oversized files, exhausting disk space on the volume hosting the Apex One installation and thereby causing denial of service. The same mechanism could also be used to place attacker-controlled content on the server, although the provided description emphasizes resource exhaustion as the primary impact.
The EPSS score for this CVE rose from a low baseline after disclosure to a peak of 0.3184 on 2025-12-11 before receding to the current value of 0.1447, indicating that exploitation interest increased measurably in the period following public release. The only referenced advisory is Tenable research note TRA-2023-5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12627
Vulnerability details
A file upload vulnerability in exists in Trend Micro Apex One server build 11110. Using a malformed Content-Length header in an HTTP PUT message sent to URL /officescan/console/html/cgi/fcgiOfcDDA.exe, an unauthenticated remote attacker can upload arbitrary files to the SampleSubmission directory…
more
(i.e., \PCCSRV\TEMP\SampleSubmission) on the server. The attacker can upload a large number of large files to fill up the file system on which the Apex One server is installed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.