CVE-2021-36741
HIGH KEVTrend Micro Apex One, OfficeScan XG, and Worry-Free Business Security - Authenticated Arbitrary File Upload
Title source: llmExploitation Summary
CVE-2021-36741 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021.
Description
An improper input validation vulnerability in Trend Micro Apex One, Apex One as a Service, OfficeScan XG, and Worry-Free Business Security 10.0 SP1 allows a remote attached to upload arbitrary files on affected installations. Please note: an attacker must first obtain the ability to logon to the product�s management console in order to exploit this vulnerability.
References (5)
Core 5
Core References
Broken Link, Vendor Advisory x_refsource_misc
https://success.trendmicro.com/solution/000287819
Broken Link, Vendor Advisory x_refsource_misc
https://success.trendmicro.com/solution/000287820
Broken Link, Vendor Advisory x_refsource_misc
https://success.trendmicro.com/jp/solution/000287796
Broken Link, Vendor Advisory x_refsource_misc
https://success.trendmicro.com/jp/solution/000287815
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36741
Scores
CVSS v3
8.8
EPSS
0.0066
EPSS Percentile
71.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2021-11-03
VulnCheck KEV
2021-08-11
InTheWild.io
2021-07-28
ENISA EUVD
EUVD-2021-23331
CWE
CWE-434
Status
published
Products (4)
trendmicro/apex_one
2019
trendmicro/officescan
xg sp1
trendmicro/officescan_business_security
10.0 sp1
trendmicro/worry-free_business_security
10.0 sp1
Published
Jul 29, 2021
KEV Added
Nov 03, 2021
Tracked Since
Feb 18, 2026