CVE-2023-47198: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

An origin validation vulnerability (CVE-2023-47198) was discovered in the Trend Micro Apex One security agent, affecting both on-premises (2019) and SaaS versions. The vulnerability was disclosed on January 23, 2024, and could allow a local attacker to escalate privileges on affected installations. The issue specifically affects Apex One versions up to (excluding) 14.0.12737 (NVD, Vendor Advisory).

The vulnerability stems from insufficient validation of the origin of commands within the Apex One NT Listener service. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-346 (Origin Validation Error) (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM. However, it's important to note that an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability (ZDI Advisory).

Trend Micro has released patches to address this vulnerability. For Apex One 2019 (On-prem), users should upgrade to SP1 CP 12526, and for Apex One as a Service, users should apply the September 2023 Monthly Patch (202309) with Agent Version 14.0.12737 or later. Additionally, customers are advised to review remote access to critical systems and ensure policies and perimeter security are up-to-date (Vendor Advisory).

The vulnerability was discovered and reported by security researcher Lays (@_L4ys) of TRAPA Security, working with Trend Micro's Zero Day Initiative. The coordinated disclosure process began on June 22, 2023, and the public advisory was released on November 14, 2023 (ZDI Advisory).