Trend Micro has addressed several serious vulnerabilities in its products, including two flaws that have been exploited in the wild.

Trend Micro has released security updates to address several serious flaws in its Worry-Free Business Security, Apex One and OfficeScan products, including a couple of vulnerabilities that have been exploited by threat actors in the wild.

Both vulnerabilities exploited in the wild were found by the researchers of the company, but the company did not release details about the attacks.

The first issue, tracked as CVE-2020-8467, impacts the migration tool component of Apex One and OfficeScan. It could be exploited by a remote, authenticated attacker to execute arbitrary code on vulnerable installs.

“A migration tool component of Trend Micro Apex One and OfficeScan contains a vulnerability which could allow remote attackers to execute arbitrary code on affected installations (RCE). An attempted attack requires user authentication.” reads the advisory published by Trend Micro.

The vulnerability rated as critical severity has received a CVSS score of 9.1.

The second vulnerability exploited in the wild, tracked as CVE-2020-8468 is a content validation escape issue that affects the agents for Worry-Free Business Security, Apex One and OfficeScan. The vulnerability could be exploited by an authenticated attacker to “manipulate certain agent client components.”

“Trend Micro Worry-Free Business Security agents are affected by a content validation escape vulnerability which could allow an attacker to manipulate certain agent client components. An attempted attack requires user authentication.” reads the advisory.

The CVE-2020-8468 vulnerability, rated as High severity has a CVSS score of 8.0.

Experts pointed out that both issues have to be chained with other vulnerabilities to be exploited in attacks in the wild.

In January, Chinese hackers have exploited another zero-day vulnerability in the Trend Micro OfficeScan antivirus in an attack that hit Mitsubishi Electric.

Pierluigi Paganini