Trend Micro fixes two actively exploited zero-days in enterprise products

Trend Micro has fixed two actively exploited zero-day vulnerabilities in its Apex One and OfficeScan XG enterprise security products, and advises customers to update to the latest software versions as soon as possible.

About the vulnerabilities

The two zero-days are:

• CVE-2020-8467, a critical flaw in the migration tool component of the two solutions that could allow remote attackers to execute arbitrary code on affected installations
• CVE-2020-8468, a high-risk content validation escape vulnerability affecting Apex One and OfficeScan agents, which could allow remote attackers to manipulate certain agent client components.

In both cases, attackers must authenticate to the target endpoint with valid, compromised credentials before attempting exploitation, which means that these flaws are likely to have been exploited by attackers who have already found their way into the enterprise network.

Vulnerable versions

Affected versions Apex One 2019 (on premise) for Windows and OfficeScan XG SP1 and XG for Windows. Fixes have been implemented in:

• Apex One (on premise) CP 2117
• OfficeScan XG SP1 CP 5474
• OfficeScan XG CP 1988

Additional vulnerabilities

In addition to these two zero-days, three additional critical security holes (CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) have been plugged in these updates. These allow remote attacks without authentication, but Trend Micro has not observed any attempted exploits of those vulnerabilities.

The company did not share the nature of the in-the-wild attacks.

Before this, back in October 2019, Trend Micro fixed CVE-2019-18187, a vulnerability affecting OfficeScan, that has been used by a Chinese hacker group that breached Mitsubishi Electric.