CVE-2019-14685 : A local privilege escalation vulnerability exists in Trend Micro Security 2019 (

A local privilege escalation vulnerability exists in Trend Micro Security 2019 (v15.0) in which, if exploited, would allow an attacker to manipulate a specific product feature to load a malicious service.

Published 2019-08-21 20:15:13

Updated 2020-08-24 17:37:01

Source Trend Micro, Inc.

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2019-14685

Trendmicro » Antivirus + Security 2019 » Version: 15.0
cpe:2.3:a:trendmicro:antivirus_\+_security_2019:15.0:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Trendmicro » Internet Security 2019 » Version: 15.0
cpe:2.3:a:trendmicro:internet_security_2019:15.0:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Trendmicro » Maximum Security 2019 » Version: 15.0
cpe:2.3:a:trendmicro:maximum_security_2019:15.0:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Trendmicro » Premium Security 2019 » Version: 15.0
cpe:2.3:a:trendmicro:premium_security_2019:15.0:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-14685

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 26 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-14685

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-14685

CWE-428 Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-14685

https://medium.com/sidechannel-br/vulnerabilidade-no-trend-micro-maximum-security-2019-permite-a-escala%C3%A7%C3%A3o-de-privil%C3%A9gios-no-windows-471403d53b68

Vulnerabilidade no Trend Micro Maximum Security 2019 permite a escalação de privilégios no Windows
Third Party Advisory
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1123420.aspx

Vendor Advisory
http://seclists.org/fulldisclosure/2019/Aug/26

Full Disclosure: Unquoted Path - Trend Micro
Mailing List;Third Party Advisory
http://packetstormsecurity.com/files/154200/Trend-Maximum-Security-2019-Unquoted-Search-Path.html

Trend Maximum Security 2019 Unquoted Search Path ≈ Packet Storm
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2019-14685

Products affected by CVE-2019-14685

Exploit prediction scoring system (EPSS) score for CVE-2019-14685

CVSS scores for CVE-2019-14685

CWE ids for CVE-2019-14685

References for CVE-2019-14685