CVE-2023-52092: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

A security agent link following vulnerability (CVE-2023-52092) was discovered in Trend Micro Apex One that could allow a local attacker to escalate privileges on affected installations. The vulnerability was disclosed on January 10, 2024, affecting Apex One 2019 and Apex One as a Service versions prior to 14.0.12849. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability (ZDI Advisory, Trend Micro Advisory).

The specific vulnerability exists within the Damage Cleanup Engine of Trend Micro Apex One. By creating a junction, an attacker can abuse a driver to delete a file. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access required with low attack complexity and privilege requirements (ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM, potentially gaining full control over the affected system (ZDI Advisory).

Trend Micro has released patches to address this vulnerability. For Apex One 2019 (On-prem), users should update to SP1 CP b12534, and for Apex One as a Service, users should apply the November 2023 Monthly Patch (202311) with Agent Version 14.0.12849 (Trend Micro Advisory).