Summary
Trend Micro has urgently released patches and hotfixes to address an actively exploited critical security vulnerability in its Apex One and Worry-Free Business Security solutions for Windows.
The critical vulnerability, tracked as CVE-2023-41179 with a CVSS score of 9.1, allows attackers with administrative console access to execute arbitrary commands.
Trend Micro has observed at least one active attempt to exploit it in the wild.
Users are strongly advised to apply the provided patches promptly to mitigate the risk.
As a workaround, it is recommended to limit access to the product’s administration console to trusted networks.
About CVE-2023-41179
CVE-2023-41179 is related to a third-party antivirus uninstaller module bundled with the software.
It affects several versions of Trend Micro products, including Apex One and Worry-Free Business Security.
Successful exploitation of this vulnerability could enable an attacker to execute arbitrary commands on the affected system.
However, it’s important to note that the attacker would need administrative console access to the target system.
Trend Micro acknowledges the responsible disclosure of these issues by individuals, including its own Trend Micro Research team.
Recommendation
Trend Micro recommends the following actions:
- Users of affected Trend Micro products should promptly apply the provided patches and hotfixes to safeguard their systems against potential exploitation.
- As a workaround, it is advised to review and update remote access policies while considering limiting access to the product management console to trusted sources.
For more detailed information, please refer to the advisory provided by Trend Micro.
- Highlights from the 2023 Fortinet Security Summit
- Cyberattack Shuts Down Frontier Telecom Systems
- Continued MOVEit Data Breach: 3+ Million Individuals Affected
- Federal Agencies Phishing Attacks: US Pressures Iran
- CVE-2024-3094 [CVSS 10] : Supply Chain Compromise, Impacting XZ Utils Data
- Germany Dismisses Russian Involvement in Military Data Leak