Authenticated SQL Injection Flaws in Trend Micro Apex Central Enable RCE
Trend Micro Apex Central 2019 Build 6016 and earlier contains two high-severity authenticated SQL injection vulnerabilities, CVE-2023-32529 and CVE-2023-32530, that can be escalated to remote code execution. The flaws affect the modTMMS certificate-handling workflow, where user-controlled X.509 certificate fields are incorporated into SQLite queries without proper validation, including the AddCert() and DeleteCertById() paths. Researchers said even low-privilege authenticated users can exploit the bugs by uploading crafted certificate data through proxy_controller.php, using module=modTMMS and tmms_cmd=set_certificates_config to reach the vulnerable functionality.
Because Apex Central uses SQLite on the backend, attackers can abuse the injection to write a malicious PHP file into the webroot and execute system commands as the IUSR account. Both issues carry a CVSS v3.1 score of 8.8 and were patched by Trend Micro on December 19, 2022, before public disclosure by STAR Labs and ZDI. Defenders are advised to update Apex Central to the latest available version and inspect the widget repository directory for suspicious PHP files that could indicate compromise.
Timeline
Aug 22, 2023
STAR Labs publicly discloses CVE-2023-32529 and CVE-2023-32530
STAR Labs SG published advisories detailing two high-severity authenticated SQL injection vulnerabilities in Trend Micro Apex Central 2019. The disclosures explained that the bugs in the modTMMS certificate-handling workflow could be escalated to remote code execution and advised users to update and inspect for suspicious PHP files.
Dec 19, 2022
Trend Micro patches Apex Central SQL injection RCE flaws
Trend Micro released fixes for two authenticated SQL injection vulnerabilities in Apex Central 2019 Build 6016 and earlier, later tracked as CVE-2023-32529 and CVE-2023-32530. Both flaws could be exploited by low-privilege authenticated users to achieve remote code execution by writing a PHP file into the webroot.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical Unauthenticated RCE Vulnerability in Trend Micro Apex Central (CVE-2025-69258)
A critical remote code execution vulnerability, tracked as CVE-2025-69258, was discovered in Trend Micro Apex Central (on-premise), allowing unauthenticated attackers to load a malicious DLL into the `MsgReceiver.exe` process and execute code with SYSTEM privileges. The flaw, along with two related vulnerabilities (CVE-2025-69259 and CVE-2025-69260), was privately reported by Tenable researchers and affects all previous releases of Apex Central prior to Critical Patch Build 7190. Exploitation requires only network access to the vulnerable system, and technical details as well as proof-of-concept exploits have been publicly released. Trend Micro has issued a critical patch to address these vulnerabilities and strongly urges customers to update to the latest build immediately. The company also recommends reviewing remote access policies and perimeter security to mitigate potential exploitation. The vulnerabilities can be triggered by sending specially crafted messages to the `MsgReceiver.exe` process, which listens on TCP port 20001, with CVE-2025-69258 enabling code execution and the others causing denial of service. No affected product versions were explicitly listed in the CVE database at the time of disclosure, but all prior releases are considered vulnerable.
1 months ago
Critical RCE Vulnerabilities in Trend Micro Apex One Management Console
**Trend Micro patched two critical remote code execution vulnerabilities in *Apex One* affecting Windows environments**, both caused by **path traversal weaknesses in the Apex One management console**: `CVE-2025-71210` and `CVE-2025-71211`. Trend Micro stated exploitation requires an attacker to have access to the management console, and warned organizations with consoles exposed to the internet to apply mitigations such as source/IP restrictions and to update to the latest builds; the fixes include updates for SaaS deployments and **Critical Patch Build 14136** for affected on-prem installations. Canada’s Centre for Cyber Security issued advisory **AV26-168** urging administrators to apply Trend Micro’s updates for **Apex One (on-premise)**, **Apex One as a Service (SaaS)**, and **Trend Vision One Endpoint / Standard Endpoint Protection (SaaS)**. Neither advisory indicated confirmed exploitation in the wild for these specific CVEs at the time of publication, but the vendor and reporting highlighted that **Apex One vulnerabilities have been actively exploited in prior campaigns**, reinforcing the need for rapid patching and exposure reduction of management interfaces.
1 months ago
Unauthenticated RCE Chain in Trend Micro Mobile Security Enterprise
Trend Micro Mobile Security (Enterprise) 9.8 SP5 through Critical Patch 3 contains two critical flaws, `CVE-2023-32523` and `CVE-2023-32524`, that allow unauthenticated attackers to achieve pre-authenticated remote code execution by chaining an authentication bypass with unrestricted file upload and local file inclusion weaknesses. In both cases, the application trusts a user-controlled `session_info` cookie at the `/widget` endpoint, automatically creates missing `WFUser` accounts with blank passwords, and binds them to a valid PHP session, giving attackers authenticated access without valid credentials. Attackers can then upload an arbitrary PHP file such as `PoolManager.php` into `C:\Windows\Temp` through `proxy_controller.php` and execute it via path traversal or unsanitized `require_once` input in `widget_package_manager.php` or `widgetforsecurity_package_manager.php`. The bugs are rated `CVSS 9.8`, require no authentication or user interaction, and could enable arbitrary code execution on the appliance and follow-on lateral movement. Trend Micro issued fixes on April 18, 2023, and defenders were advised to inspect `C:\Windows\Temp` for unexpected PHP files and review logs for suspicious requests hitting the vulnerable endpoints in close succession.
2 weeks ago