CVE-2024-51503: 
Trend Micro Deep Security Agent vulnerability analysis and mitigation

A security agent manual scan command injection vulnerability (CVE-2024-51503) was discovered in the Trend Micro Deep Security 20 Agent. The vulnerability was identified and disclosed on November 19, 2024, affecting Trend Micro Deep Security Agent versions before 20.0.1-21510 and Deep Security Notifier on DSVA Version 20.0.0-8438 on Windows platforms. The vulnerability received a CVSS v3.1 base score of 8.0 (HIGH) (ZDI Advisory, Trend Micro).

The vulnerability stems from improper validation of user-supplied strings before executing system calls within the Trend Micro Deep Security Notifier service. It is classified as CWE-78 (OS Command Injection). The vulnerability has been assigned a CVSS v3.1 vector of AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating its high severity level (Trend Micro, ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to escalate privileges and execute arbitrary code on affected machines with SYSTEM-level privileges. In certain circumstances, attackers with legitimate domain access could remotely inject commands to other machines within the same domain (Security Online, Trend Micro).

Trend Micro has released version 20.0.1-21510 of the Deep Security Agent to address this vulnerability. Users are strongly encouraged to update to the latest version immediately. Additionally, organizations should review remote access to critical systems and ensure their security policies and perimeter security are up-to-date (Trend Micro).

The vulnerability was responsibly disclosed by Simon Zuckerbraun of Trend Micro's Zero Day Initiative (ZDI). The discovery and patching process followed standard responsible disclosure practices, with the vulnerability being reported to the vendor on August 20, 2024, and a coordinated public release on November 19, 2024 (ZDI Advisory).