CVE-2020-24557 : A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP

A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.

Published 2020-09-01 19:15:12

Updated 2025-02-12 20:44:33

Source Trend Micro, Inc.

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2020-24557

Trendmicro » Apex One » Version: 2019
cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Trendmicro » Apex One » Version: N/A Saas Edition
cpe:2.3:a:trendmicro:apex_one:-:*:*:*:saas:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A
Trendmicro » Worry-free Business Security » Version: 10.0 Update SP1
cpe:2.3:a:trendmicro:worry-free_business_security:10.0:sp1:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

CVE-2020-24557 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Trend Micro Multiple Products Improper Access Control Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Trend Micro Apex One, OfficeScan, and Worry-Free Business Security on Microsoft Windows contain an improper access control vulnerability that may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function, and attain privilege e

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2020-24557

Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2020-24557

EPSS FAQ

0.64%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 69 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-24557

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-06
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2020-24557

https://success.trendmicro.com/solution/000263632

Vendor Advisory

CVEs referencing this url
https://success.trendmicro.com/solution/000267260

September 2020 Security Bulletin - WFBS & WFBS-SVC
Vendor Advisory

CVEs referencing this url
https://www.zerodayinitiative.com/advisories/ZDI-20-1094/

ZDI-20-1094 | Zero Day Initiative
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2020-24557

Products affected by CVE-2020-24557

CVE-2020-24557 is in the CISA Known Exploited Vulnerabilities Catalog

Exploit prediction scoring system (EPSS) score for CVE-2020-24557

CVSS scores for CVE-2020-24557

References for CVE-2020-24557