CVE-2023-52094: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

CVE-2023-52094 is an updater link following vulnerability discovered in the Trend Micro Apex One agent. The vulnerability was disclosed on January 23, 2024, affecting Trend Micro Apex One 2019 and Apex One as a Service versions up to (excluding) 14.0.12849. This security flaw could allow a local attacker to abuse the updater to delete an arbitrary folder, potentially leading to local privilege escalation on affected installations (Vendor Advisory, ZDI Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The specific flaw exists within the product update mechanism, where by creating a junction, an attacker can abuse the updater to delete a folder. The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access) (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM. The attacker could potentially gain elevated access to delete arbitrary folders on the affected system (ZDI Advisory).

Trend Micro has released patches to address this vulnerability. For Apex One 2019 (On-prem), users should update to SP1 CP b12534, and for Apex One as a Service, users should apply the November 2023 Monthly Patch (202311) with Agent Version 14.0.12849. Customers are strongly encouraged to update to the latest builds as soon as possible (Vendor Advisory).

The vulnerability was discovered and reported by NT AUTHORITY\ANONYMOUS LOGON working with Trend Micro's Zero Day Initiative. The disclosure timeline indicates that the vulnerability was reported to the vendor on August 17, 2023, with a coordinated public release on January 10, 2024 (ZDI Advisory).