CVE-2023-32521
Published: 26 June 2023
Summary
CVE-2023-32521 is a critical-severity Path Traversal (CWE-22) vulnerability in Trendmicro Mobile Security. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A path traversal vulnerability exists in a specific service DLL within Trend Micro Mobile Security (Enterprise) version 9.8 SP5. Tracked as CVE-2023-32521 and assigned CWE-22, the flaw permits deletion of arbitrary files on affected systems and carries a CVSS 3.1 score of 9.1 reflecting network-accessible attack vectors that require no authentication.
An unauthenticated remote attacker can exploit the issue over the network to remove arbitrary files, resulting in high impact to integrity and availability without any user interaction. The attack requires no privileges and targets the exposed service component directly.
Trend Micro has published remediation guidance in solution article 000293106, directing customers to apply the available patch or configuration update for the affected Mobile Security (Enterprise) 9.8 SP5 deployment. Independent analysis from Tenable Research (TRA-2023-17) corroborates the technical details and confirms the unauthenticated remote deletion capability.
The EPSS score for this CVE has climbed from a low baseline to a peak of 0.7118 (current value 0.6631), indicating that exploitation interest emerged after public disclosure and that the vulnerability warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36765
Vulnerability details
A path traversal exists in a specific service dll of Trend Micro Mobile Security (Enterprise) 9.8 SP5 which could allow an unauthenticated remote attacker to delete arbitrary files.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.