A Bug in the Trend Micro Product Management Console Allows Hackers to Execute Arbitrary Code Remotely

Security software developer Trend Micro recently patched a high-severity vulnerability that could allow attackers to execute arbitrary code remotely from the Apex Central product management console.

While the security vulnerability that affects Apex Central product management console is tracked as CVE-2022-26871. System administrators can manage Trend Micro products and services through Apex Central, a web-based management console.

You can also use this tool for manually updating components via pre-scheduled updates or direct updates.

Default profile

  • CVE ID: CVE-2022-26871
  • Description: Arbitrary file download remote code execution vulnerability.
  • NVD release date: 03/29/2022
  • Last Modified: 03/30/2022
  • Source: Trend Micro, Inc.
  • CVSS Score: NA
  • Severity: High
  • Summary: This issue affects the browser’s file management module. It has a high-severity arbitrary file upload vulnerability that could be exploited by threat actors for Remote Code Execution (RCE).

Trend Micro Protection

To help protect Trend Micro products from the exploitation of these vulnerabilities, Trend Micro has released these IPS Rules and Filters. And here they are:-

  • Trend Micro Cloud One – Workload Security / Deep Security: Rule 1011349 – Remote Code Execution Vulnerability in Trend Micro Apex Central and Control Manager (CVE-2022-26871)
  • Trend Micro Cloud One – Network Security/TippingPoint: Filter 41072: HTTP: Trend Micro Apex Central Arbitrary File Upload Vulnerability
  • Trend Micro Deep Discovery Inspector: Rule 4673: CVE-2022-26871_HTTP_REMOTE_CODE_EXECUTION_EXPLOIT

Whereas following Trend Micro’s disclosure, CISA ordered that federal agencies have only three weeks (by April 21, 2022) to fix the exploited Apex Central bug or these penalties will be imposed on them. .

Also, a new set of solutions have been released by Trend Micro to fix the issue:-

Product Updated version Platform Availablity
Apex Central (on-site) Patch 3 (Build 6016) the Windows Now available
Apex Central (SaaS)* March 9, 2022, Deployment (Build 6016) SaaS Already deployed (March 9)


For an attacker to exploit these types of vulnerabilities, they generally need to have access to a vulnerable machine.

In addition to patches and updates, customers should review remote access to critical systems and extend security to perimeters and policies.

The agency further advised private and public sector organizations in the United States to patch the exploited vulnerability as soon as possible to prevent their networks from being hacked.

You can follow us on Linkedin, Twitter, Facebook for daily updates on cybersecurity and hacking.