CVE-2019-18187

HIGH KEV

Trendmicro Officescan - Path Traversal

Title source: rule

Description

Trend Micro OfficeScan versions 11.0 and XG (12.0) could be exploited by an attacker utilizing a directory traversal vulnerability to extract files from an arbitrary zip file to a specific folder on the OfficeScan server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to a web service account, which depending on the web platform used may have restricted permissions. An attempted attack requires user authentication.

References (3)

[Broken Link, Vendor Advisory] https://success.trendmicro.com/solution/000151730

[Vendor Advisory] https://web.archive.org/web/20200215171235/https://success.trendmicro.com/solution/000151730

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18187

Scores

CVSS v3 7.5

EPSS 0.7922

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CISA KEV 2021-11-03

VulnCheck KEV 2019-10-28

InTheWild.io 2019-10-28

ENISA EUVD EUVD-2019-7990

CWE

CWE-22

Status published

Products (2)

trendmicro/officescan 11.0 sp1

trendmicro/officescan xg (2 CPE variants)

Published Oct 28, 2019

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026