CVE-2021-45441: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

A origin validation error vulnerability was discovered in Trend Micro Apex One (on-prem and SaaS) and Worry-Free Business Security products. The vulnerability, identified as CVE-2021-45441, was disclosed on January 10, 2022. The affected products include Trend Micro Apex One 2019, Worry-Free Business Security 10.0 SP1, and Worry-Free Business Security Services SaaS versions (ZDI Advisory, NVD).

The vulnerability exists within the Apex One NT RealTime Scan service and stems from insufficient validation of the origin of commands. It has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-346 (Origin Validation Error) (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM. The impact affects all three major security aspects - confidentiality, integrity, and availability - each rated as High in the CVSS scoring (ZDI Advisory).

Trend Micro has released security updates to address this vulnerability. Users of affected products should apply the appropriate patches: Apex One 2019 should be updated to Patch 6 B10048 or later, and Worry-Free Business Security (WFBS) 10.0 SP1 should be updated to Patch 2368 or later (CERT-FR).