CVE-2017-11394

CRITICAL

Trend Micro OfficeScan 11 and XG (12) - Remote Code Execution via Proxy.php T Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-11394. PoCs published by Mehmet Ince, mr_me <[email protected]>, Mehmet Ince <[email protected]>, including Metasploit module exploits/windows/http/trendmicro_officescan_widget_exec.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass and command injection vulnerability in Trend Micro OfficeScan. It allows unauthenticated users to execute terminal commands under the context of the web server user by leveraging flaws in the widget feature and proxy.php file handling.

Description

Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.

Exploits (2)

exploitdb WORKING POC

by Mehmet Ince · rubywebappsphp

https://www.exploit-db.com/exploits/42971

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass and command injection vulnerability in Trend Micro OfficeScan. It allows unauthenticated users to execute terminal commands under the context of the web server user by leveraging flaws in the widget feature and proxy.php file handling.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Trend Micro OfficeScan 11 and XG

No auth needed

Prerequisites: Network access to the target's management interface on port 443

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by mr_me <[email protected]>, Mehmet Ince <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/trendmicro_officescan_widget_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass (CVE-2017-11394) and command injection in Trend Micro OfficeScan, allowing unauthenticated RCE via crafted HTTP requests to vulnerable PHP endpoints.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Trend Micro OfficeScan 11 and XG

No auth needed

Prerequisites: Network access to TCP/443 · Vulnerable OfficeScan version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/100130

Mitigation, Patch, Vendor Advisory x_refsource_misc

https://success.trendmicro.com/solution/1117769

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42971/

Third Party Advisory, VDB Entry x_refsource_misc

http://www.zerodayinitiative.com/advisories/ZDI-17-521

Scores

CVSS v3 9.8

EPSS 0.6677

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (3)

Trend Micro/Trend Micro OfficeScan 11, XG (12)

trendmicro/officescan 11.0 sp1

trendmicro/officescan 12.0

Published Aug 03, 2017

Tracked Since Feb 18, 2026