CVE-2024-51503
HIGHTrend Micro Deep Security 20 Agent - Privilege Escalation and Remote Code Execution via Manual Scan Command Injection
Title source: llmDescription
A security agent manual scan command injection vulnerability in the Trend Micro Deep Security 20 Agent could allow an attacker to escalate privileges and execute arbitrary code on an affected machine. In certain circumstances, attackers that have legitimate access to the domain may be able to remotely inject commands to other machines in the same domain. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability locally and must have domain user privileges to affect other machines.
References (2)
Core 2
Core References
Vendor Advisory
https://success.trendmicro.com/en-US/solution/KA-0018154
Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-1516/
Scores
CVSS v3
8.0
EPSS
0.0101
EPSS Percentile
77.4%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-77
Status
published
Products (1)
trendmicro/deep_security_agent
20.0 (50 CPE variants)
Published
Nov 19, 2024
Tracked Since
Feb 18, 2026