CVE-2020-8605

HIGH

Trend Micro InterScan Web Security Virtual Appliance 6.5 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8605. PoCs published by Mehmet Ince, Mehmet Ince <[email protected]>, including Metasploit module exploits/linux/http/trendmicro_websecurity_exec.

AI-analyzed exploit summary This Metasploit module exploits multiple vulnerabilities (CVE-2020-8604, CVE-2020-8605, CVE-2020-8606) in Trend Micro Web Security Virtual Appliance to achieve unauthenticated remote code execution as root. It chains a proxy service flaw, an Apache Solr path traversal, and a command injection in the LogSettingHandler class.

Description

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.

Exploits (2)

exploitdb WORKING POC
by Mehmet Ince · rubywebappsmultiple
https://www.exploit-db.com/exploits/48667

This Metasploit module exploits multiple vulnerabilities (CVE-2020-8604, CVE-2020-8605, CVE-2020-8606) in Trend Micro Web Security Virtual Appliance to achieve unauthenticated remote code execution as root. It chains a proxy service flaw, an Apache Solr path traversal, and a command injection in the LogSettingHandler class.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Trend Micro Web Security Virtual Appliance (versions prior to 6.5 SP2 Patch 4 (Build 1901))
No auth needed
Prerequisites: Network access to ports 8443 (admin interface) and 8080 (proxy service) · Python payload compatibility with target environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mehmet Ince <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/trendmicro_websecurity_exec.rb

This Metasploit module exploits a chain of vulnerabilities (CVE-2020-8604, CVE-2020-8605, CVE-2020-8606) in Trend Micro Web Security Virtual Appliance to achieve unauthenticated remote code execution as root. It leverages a proxy service flaw to extract session IDs and a command injection vulnerability in the LogSettingHandler class.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Trend Micro Web Security Virtual Appliance (versions prior to 6.5 SP2 Patch 4 (Build 1901))
No auth needed
Prerequisites: Network access to the target appliance · Proxy service (port 8080) and administrator interface (port 8443) must be accessible
devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-676/
Patch, Vendor Advisory x_refsource_misc
https://success.trendmicro.com/solution/000253095

Scores

CVSS v3 8.8
EPSS 0.8948
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
trendmicro/interscan_web_security_virtual_appliance 6.5
Published May 27, 2020
Tracked Since Feb 18, 2026