Vulnerability Details : CVE-2022-40139
Improper validation of some components used by the rollback mechanism in Trend Micro Apex One and Trend Micro Apex One as a Service clients could allow a Apex One server administrator to instruct affected clients to download an unverified rollback package, which could lead to remote code execution. Please note: an attacker must first obtain Apex One server administration console access in order to exploit this vulnerability.
Vulnerability category: Execute code
Products affected by CVE-2022-40139
- cpe:2.3:a:trendmicro:apex_one:2019:*:*:*:*:*:*:*
- cpe:2.3:a:trendmicro:apex_one:-:*:*:*:*:saas:*:*
CVE-2022-40139 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Trend Micro Apex One and Apex One as a Service Improper Validation Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Trend Micro Apex One and Apex One as a Service contain an improper validation of rollback mechanism components that could lead to remote code execution.
Notes:
https://success.trendmicro.com/dcx/s/solution/000291528?language=en_US; https://nvd.nist.gov/vuln/detail/CVE-2022-40139
Added on
2022-09-15
Action due date
2022-10-06
Exploit prediction scoring system (EPSS) score for CVE-2022-40139
2.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40139
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-29 |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
References for CVE-2022-40139
-
https://success.trendmicro.com/solution/000291528
Case SolutionPatch;Vendor Advisory
Jump to