CVE-2007-2508

Trend Micro ServerProtect <5.58 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2007-2508. PoCs published by Metasploit, MC, including Metasploit module exploits/windows/antivirus/trendmicro_serverprotect_createbinding.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in Trend Micro ServerProtect 5.58 EarthAgent.EXE via a crafted RPC request to execute arbitrary code. It uses a known return address (0x605e3c2f) and includes a payload with space constraints and bad character restrictions.

Description

Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2 Build 1174 allow remote attackers to execute arbitrary code via crafted data to (1) TCP port 5168, which triggers an overflow in the CAgRpcClient::CreateBinding function in the AgRpcCln.dll library in SpntSvc.exe; or (2) TCP port 3628, which triggers an overflow in EarthAgent.exe. NOTE: both issues are reachable via TmRpcSrv.dll.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16829

This Metasploit module exploits a buffer overflow in Trend Micro ServerProtect 5.58 EarthAgent.EXE via a crafted RPC request to execute arbitrary code. It uses a known return address (0x605e3c2f) and includes a payload with space constraints and bad character restrictions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trend Micro ServerProtect 5.58 Build 1060
No auth needed
Prerequisites: Network access to target on port 3628 · Vulnerable version of Trend Micro ServerProtect
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16828

This Metasploit module exploits a buffer overflow in Trend Micro ServerProtect 5.58 via a maliciously crafted RPC request to the CreateBinding() function, allowing arbitrary code execution. The exploit uses a known return address in StRpcSrv.dll to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trend Micro ServerProtect 5.58 Build 1060
No auth needed
Prerequisites: Network access to target's RPC service (port 5168) · Vulnerable version of Trend Micro ServerProtect
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by MC · rubyremotewindows
https://www.exploit-db.com/exploits/29964

This exploit targets a stack-based buffer overflow in Trend Micro ServerProtect 5.58 via a malformed RPC request to the CreateBinding() function. It leverages a JMP shortcut and NOP sled to redirect execution to shellcode, achieving remote code execution with SYSTEM privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trend Micro ServerProtect 5.58 Build 1060
No auth needed
Prerequisites: Network access to TCP port 5168 · Vulnerable version of Trend Micro ServerProtect
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/trendmicro_serverprotect_createbinding.rb

This Metasploit module exploits a buffer overflow in Trend Micro ServerProtect 5.58 via a crafted RPC request to the CreateBinding() function, allowing arbitrary code execution. It uses a known return address (0x65675aa8) and includes a payload with bad character avoidance.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trend Micro ServerProtect 5.58 Build 1060
No auth needed
Prerequisites: Network access to target's RPC port (5168) · Vulnerable version of Trend Micro ServerProtect
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by MC · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/trendmicro_serverprotect_earthagent.rb

This Metasploit module exploits a buffer overflow in Trend Micro ServerProtect 5.58 EarthAgent.EXE via a crafted RPC request, allowing arbitrary code execution. It uses a known return address (0x605e3c2f) and includes a payload with bad character avoidance.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trend Micro ServerProtect 5.58 Build 1060
No auth needed
Prerequisites: Network access to target on port 3628 · Vulnerable version of Trend Micro ServerProtect
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1689
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/34163
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/35790
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/467932/100/0/threaded
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/515616
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23868
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/467933/100/0/threaded
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23866
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/34162
Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1018010
Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25186
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/35789
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/488424

Scores

EPSS 0.7719
EPSS Percentile 99.5%

Details

CWE
CWE-119
Status published
Products (1)
trend_micro/serverprotect < 5.58
Published May 08, 2007
Tracked Since Feb 18, 2026