CVE-2023-47199 – This CVE describes an origin validation vulnera... (How to Fix)

Q: What is the severity of CVE-2023-47199?

CVE-2023-47199 has a CVSS score of 7.8 (HIGH). This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows local attackers to escalate privileges on affected systems. Attackers must first gain low-privileged code execution capability to exploit this vulnerability. Organizations using Trend Micro Apex One security agent are affected.

📋 TL;DR

This CVE describes an origin validation vulnerability in Trend Micro Apex One security agent that allows local attackers to escalate privileges on affected systems. Attackers must first gain low-privileged code execution capability to exploit this vulnerability. Organizations using Trend Micro Apex One security agent are affected.

💻 Affected Systems

Products:

Trend Micro Apex One

Versions: Specific versions not detailed in provided references; consult Trend Micro advisory for exact affected versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Trend Micro Apex One security agent to be installed and running; attacker must have local low-privileged access first

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, enabling lateral movement, data exfiltration, and persistence establishment.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or access restricted system resources.

🟢

If Mitigated

Limited impact due to proper access controls, network segmentation, and endpoint protection preventing initial low-privileged access.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring initial low-privileged access on the target system.

🏢 Internal Only: HIGH - Once an attacker gains initial foothold on an internal system, they can exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires existing low-privileged access; similar to CVE-2023-47193 but not identical

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Trend Micro advisory for specific patched versions

Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000295652?language=en_US

Restart Required: Yes

Instructions:

1. Review Trend Micro advisory 000295652. 2. Update Trend Micro Apex One to the latest patched version. 3. Restart affected systems to apply the patch completely.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Implement least privilege principle to limit initial low-privileged access that attackers need to exploit this vulnerability

Enable application control

windows

Use application whitelisting to prevent unauthorized code execution that could lead to initial foothold

🧯 If You Can't Patch

Implement strict access controls and network segmentation to limit lateral movement
Deploy additional endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Trend Micro Apex One agent version against advisory 000295652; vulnerable if running affected versions

Check Version:

Check Trend Micro Apex One console or agent properties for version information

Verify Fix Applied:

Verify Trend Micro Apex One agent has been updated to patched version specified in advisory

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events in Windows Event Logs
Suspicious Trend Micro service modifications

Network Indicators:

Unusual outbound connections from systems running Trend Micro Apex One

SIEM Query:

EventID=4688 AND ProcessName LIKE '%trend%' AND NewProcessName CONTAINS 'cmd.exe' OR 'powershell.exe'

📊 Metadata

CVE ID: CVE-2023-47199

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: January 23, 2024

Last Updated: May 30, 2025

🔗 References

https://success.trendmicro.com/dcx/s/solution/000295652?language=en_US Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1620/ Third Party Advisory,VDB Entry
https://success.trendmicro.com/dcx/s/solution/000295652?language=en_US Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1620/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47199, you might also want to check these: