CVE-2023-47195 – This CVE describes an origin validation vulnera... (How to Fix)

Q: What is the severity of CVE-2023-47195?

CVE-2023-47195 has a CVSS score of 7.8 (HIGH). This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows a local attacker to escalate privileges on affected installations. Attackers must first gain low-privileged code execution on the target system to exploit this vulnerability. Organizations using Trend Micro Apex One security agent are affected.

📋 TL;DR

This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows a local attacker to escalate privileges on affected installations. Attackers must first gain low-privileged code execution on the target system to exploit this vulnerability. Organizations using Trend Micro Apex One security agent are affected.

💻 Affected Systems

Products:

Trend Micro Apex One

Versions: Specific versions not detailed in provided references; check vendor advisory for exact affected versions

Operating Systems: Windows (implied by security agent nature)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Trend Micro Apex One security agent installation; attacker must already have low-privileged code execution capability

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, enabling lateral movement, data exfiltration, and persistence establishment.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, and access sensitive system resources.

🟢

If Mitigated

Limited impact due to proper access controls, network segmentation, and endpoint protection preventing initial low-privileged access.

🌐 Internet-Facing: LOW - This vulnerability requires local access and cannot be exploited remotely.

🏢 Internal Only: HIGH - Once an attacker gains initial foothold with low privileges, they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to execute low-privileged code first; similar to CVE-2023-47196 but distinct vulnerability

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000295652?language=en_US

Restart Required: Yes

Instructions:

1. Access Trend Micro Apex One management console. 2. Check for available updates. 3. Apply the security patch provided by Trend Micro. 4. Restart affected systems as required.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Limit local user accounts to prevent initial low-privileged code execution required for exploitation

Implement application whitelisting

windows

Use application control policies to prevent unauthorized code execution

🧯 If You Can't Patch

Implement strict least privilege access controls to limit local user capabilities
Deploy additional endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Trend Micro Apex One agent version against vendor advisory; review system logs for unauthorized privilege escalation attempts

Check Version:

Check Trend Micro Apex One console or agent properties for version information

Verify Fix Applied:

Verify Trend Micro Apex One agent has been updated to patched version; test privilege escalation attempts in controlled environment

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events
Unauthorized process creation with elevated privileges
Security agent service anomalies

Network Indicators:

Unusual outbound connections from systems with Trend Micro Apex One

SIEM Query:

EventID=4688 AND ProcessName LIKE '%trend%' AND NewProcessName NOT IN (approved_process_list)

📊 Metadata

CVE ID: CVE-2023-47195

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: January 23, 2024

Last Updated: June 20, 2025

🔗 References

https://success.trendmicro.com/dcx/s/solution/000295652?language=en_US Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1615/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/dcx/s/solution/000295652?language=en_US Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1615/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47195, you might also want to check these: