Cyber Resilience

CVE-2023-32557

Critical

Published: 26 June 2023

Published
26 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0643 91.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32557 is a critical-severity Path Traversal (CWE-22) vulnerability in Trendmicro Apex One. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A path traversal vulnerability tracked as CVE-2023-32557 affects Trend Micro Apex One and Apex One as a Service. The flaw, assigned CWE-22 and carrying a CVSS 3.1 score of 9.8, resides in the Management Server and enables an unauthenticated attacker to upload an arbitrary file.

An unauthenticated remote attacker can exploit the issue over the network with no credentials or user interaction required, achieving remote code execution with system privileges on the Management Server.

Vendor advisory information addressing the vulnerability is available at the Trend Micro success portal links referenced for this CVE. The associated EPSS score has remained flat at its peak value of 0.0643 with no material increase observed.

EU & UK References

Vulnerability details

A path traversal vulnerability in the Trend Micro Apex One and Apex One as a Service could allow an unauthenticated attacker to upload an arbitrary file to the Management Server which could lead to remote code execution with system privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trendmicro
apex one
2019 · ≤ 14.0.12105

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References