SECURITY BULLETIN: Arbitrary File Overwrite/Create in Trend Micro VPN

LAST UPDATED: MAY 29, 2024

Release Date: May 28, 2024

Trend Micro Vulnerability Identifier: CVE-2024-36473

Platform(s): Windows 10 version or higher

Summary

Trend Micro has released a new version of Trend Micro VPN. This update addresses a vulnerability that previously allowed local Denial of Service (DoS) and Privilege Escalation under special circumstances due to vulnerable HTTP endpoints exposed to users.

Affected version(s)

PRODUCT	AFFECTED VERSION(S)	PLATFORM	LANGUAGE(S)
Trend Micro VPN	5.8.1012 and below	Windows 10	English

Solution

PRODUCT	UPDATED VERSION(S)	PLATFORM	LANGUAGE(S)
Trend Micro VPN	5.8.1025	Windows 10	English

Vulnerability Details

Trend Micro VPN, version 5.8.1012 and below is vulnerable to an arbitrary file overwrite or create attack but is limited to local Denial of Service (DoS) and under specific conditions can lead to elevation of privileges.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

Mitigating Factors

None identified. Customers are advised to ensure they always have the latest version of the program.

Acknowledgement

Trend Micro would like to thank Hashim Jawad (@ihack4falafel) working with Trend Micro’s Zero Day Initiative (ZDI) for responsibly disclosing this issue and working with Trend Micro to help protect our customers.

External Reference

ZDI-CAN-22715

How helpful was this article?

It was very unhelpful.
It wasn't helpful at all.
It was not helpful.
Somewhat helpful.
Just okay.
Just okay.
It was helpful.
It was somewhat helpful.
It was very helpful.
It was helpful.

Thank you for your feedback!

Feedback entity isn't available at the moment. Try again later.

Modal header