CVE-2023-32557
Published: 26 June 2023
Summary
CVE-2023-32557 is a critical-severity Path Traversal (CWE-22) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A path traversal vulnerability tracked as CVE-2023-32557 affects Trend Micro Apex One and Apex One as a Service. The flaw, assigned CWE-22 and carrying a CVSS 3.1 score of 9.8, resides in the Management Server and enables an unauthenticated attacker to upload an arbitrary file.
An unauthenticated remote attacker can exploit the issue over the network with no credentials or user interaction required, achieving remote code execution with system privileges on the Management Server.
Vendor advisory information addressing the vulnerability is available at the Trend Micro success portal links referenced for this CVE. The associated EPSS score has remained flat at its peak value of 0.0643 with no material increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-36801
Vulnerability details
A path traversal vulnerability in the Trend Micro Apex One and Apex One as a Service could allow an unauthenticated attacker to upload an arbitrary file to the Management Server which could lead to remote code execution with system privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.