CVE-2022-26871 : An arbitrary file upload vulnerability in Trend Micro Apex Central could allow a

An arbitrary file upload vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to upload an arbitrary file which could lead to remote code execution.

Published 2022-03-29 21:15:08

Updated 2025-02-10 18:58:50

Source Trend Micro, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2022-26871

Trendmicro » Apex One » Version: N/A For Saas
cpe:2.3:a:trendmicro:apex_one:-:*:*:*:*:saas:*:*
Matching versions
Trendmicro » Apex Central » Version: 2019 For Windows
cpe:2.3:a:trendmicro:apex_central:2019:-:*:*:*:windows:*:*
Matching versions

CVE-2022-26871 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Trend Micro Apex Central Arbitrary File Upload Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

An arbitrary file upload vulnerability in Trend Micro Apex Central could allow for remote code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2022-26871

Added on 2022-03-31 Action due date 2022-04-21

Exploit prediction scoring system (EPSS) score for CVE-2022-26871

EPSS FAQ

8.57%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 92 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-26871

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-29
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-26871

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-26871

https://jvn.jp/vu/JVNVU99107357

JVNVU#99107357: Trend Micro Apex CentralおよびTrend Micro Apex Central as a Serviceにおけるファイルコンテンツの検証不備の脆弱性
Third Party Advisory;VDB Entry
https://appweb.trendmicro.com/supportNews/NewsDetail.aspx?id=4435

サポート情報 : トレンドマイクロ
Vendor Advisory
https://success.trendmicro.com/jp/solution/000290660

Q&A | Trend Micro Business Support
Mitigation;Patch;Vendor Advisory
https://www.jpcert.or.jp/english/at/2022/at220008.html

Alert Regarding Vulnerability (CVE-2022-26871) in Trend Micro Apex Central
Third Party Advisory;VDB Entry
https://success.trendmicro.com/solution/000290678

Case Solution
Mitigation;Patch;Vendor Advisory