Cyber Resilience

CVE-2023-25143

Critical

Published: 10 March 2023

Published
10 March 2023
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0194 83.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25143 is a critical-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An uncontrolled search path element vulnerability, tracked as CVE-2023-25143 and assigned CWE-427, affects the installer component of Trend Micro Apex One Server. The flaw carries a CVSS 3.1 score of 9.8 and permits remote code execution on affected installations when an attacker supplies a malicious executable in an uncontrolled search path.

Because the vulnerability is exploitable over the network with no authentication or user interaction required, an unauthenticated remote attacker can achieve arbitrary code execution with full confidentiality, integrity, and availability impact on the target server. Successful exploitation grants the attacker the ability to run code in the context of the installer process, potentially leading to complete compromise of the Apex One Server.

Trend Micro has published mitigation guidance in solution article 000292209, which addresses the affected installer. The EPSS score for this CVE rose from a low baseline to a peak of 0.0618 before receding to its current value of 0.0194, indicating a temporary increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

An uncontrolled search path element vulnerability in the Trend Micro Apex One Server installer could allow an attacker to achieve a remote code execution state on affected products.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
apex one
2019 · ≤ 14.0.11960

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References