CVE-2021-25253 – This vulnerability allows a local attacker with... (How to Fix)

Q: What is the severity of CVE-2021-25253?

CVE-2021-25253 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local attacker with low-privileged access to escalate privileges on Trend Micro Apex One and OfficeScan XG SP1 installations. It affects Trend Micro Apex One, Apex One as a Service, and OfficeScan XG SP1 products. Attackers must first gain initial access to the system before exploiting this improper access control flaw.

📋 TL;DR

This vulnerability allows a local attacker with low-privileged access to escalate privileges on Trend Micro Apex One and OfficeScan XG SP1 installations. It affects Trend Micro Apex One, Apex One as a Service, and OfficeScan XG SP1 products. Attackers must first gain initial access to the system before exploiting this improper access control flaw.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service
Trend Micro OfficeScan XG SP1

Versions: All versions prior to the patched releases

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both on-premise and SaaS deployments of Apex One. OfficeScan XG SP1 is also vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling complete control over the endpoint, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or access sensitive system resources.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and endpoint detection are implemented.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial foothold on an internal system, they can exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access with low privileges. The vulnerability is in a service resource access control mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apex One 2019 (Build 11770) and later, OfficeScan XG SP1 Patch 4 (Build 6100) and later

Vendor Advisory: https://success.trendmicro.com/solution/000286019

Restart Required: Yes

Instructions:

1. Download the latest patch from Trend Micro support portal. 2. Apply the patch to all affected endpoints. 3. Restart the systems to complete installation. 4. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local user access to systems running affected Trend Micro products

Enhanced monitoring

all

Monitor for privilege escalation attempts and unusual service activity

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems
Apply principle of least privilege and monitor for suspicious local privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check the Trend Micro product version in the management console or client interface

Check Version:

Check via Trend Micro management console or client interface version information

Verify Fix Applied:

Verify the build number is at or above the patched versions: Apex One Build 11770+, OfficeScan XG SP1 Build 6100+

📡 Detection & Monitoring

Log Indicators:

Unusual service privilege changes
Failed or successful privilege escalation attempts in system logs
Trend Micro service access violations

Network Indicators:

Unusual outbound connections from Trend Micro services
Lateral movement attempts from affected systems

SIEM Query:

source="trendmicro" AND (event_type="privilege_escalation" OR service_access="unauthorized")

📊 Metadata

CVE ID: CVE-2021-25253

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

https://success.trendmicro.com/solution/000286019 Vendor Advisory
https://success.trendmicro.com/solution/000286157 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-401/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/solution/000286019 Vendor Advisory
https://success.trendmicro.com/solution/000286157 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-401/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25253, you might also want to check these: