CVE-2017-6398

HIGH

Trend Micro InterScan Messaging Security Virtual Appliance 9.1-1600 - OS Command Injection via saveCert.imss

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-6398. PoCs published by Mehmet Ince <[email protected]>, including Metasploit module exploits/linux/http/trend_micro_imsva_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Trend Micro IMSVA by leveraging improper input sanitization in the saveCert.imss endpoint, allowing authenticated users to execute arbitrary commands as root.

Description

An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. An authenticated user can execute a terminal command in the context of the web server user (which is root). Besides, the default installation of IMSVA comes with default administrator credentials. The saveCert.imss endpoint takes several user inputs and performs blacklisting. After that, it uses them as arguments to a predefined operating-system command without proper sanitization. However, because of an improper blacklisting rule, it's possible to inject arbitrary commands into it.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Mehmet Ince <[email protected]> · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/trend_micro_imsva_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Trend Micro IMSVA by leveraging improper input sanitization in the saveCert.imss endpoint, allowing authenticated users to execute arbitrary commands as root.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Trend Micro InterScan Messaging Security (Virtual Appliance) prior to 9.1-1600

Auth required

Prerequisites: Network access to the target · Valid credentials (default admin:imsva)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/96859

Third Party Advisory x_refsource_misc

https://www.rapid7.com/db/modules/exploit/linux/http/trend_micro_imsva_exec

Scores

CVSS v3 8.8

EPSS 0.5500

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

trendmicro/interscan_messaging_security_virtual_appliance 9.1-1600

Published Mar 14, 2017

Tracked Since Feb 18, 2026