Login Sign Up

CVE-2023-52094

7.8 HIGH

📋 TL;DR

This vulnerability in Trend Micro Apex One agent allows a local attacker with low-privileged code execution to abuse the updater to delete arbitrary folders, potentially leading to local privilege escalation. It affects installations where the agent is deployed, requiring initial access to the system.

💻 Affected Systems

Products:
  • Trend Micro Apex One
Versions: Specific versions not detailed in references; check vendor advisory for exact range.
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects agent installations; attacker must have low-privileged code execution ability first.

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation enabling full system compromise, data deletion, or persistence mechanisms.

🟠

Likely Case

Local privilege escalation allowing attackers to gain higher privileges for further malicious activities.

🟢

If Mitigated

Limited impact if proper access controls and patching are in place, reducing escalation opportunities.

🌐 Internet-Facing: LOW, as exploitation requires local access and cannot be triggered remotely.
🏢 Internal Only: HIGH, as internal attackers or malware with low privileges can exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and low privileges, making it feasible for internal threats.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version.

Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000296151?language=en_US

Restart Required: Yes

Instructions:

1. Access Trend Micro Apex One management console. 2. Check for updates in the agent settings. 3. Apply the latest patch as per vendor instructions. 4. Restart affected systems to ensure changes take effect.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit user privileges and enforce least privilege principles to reduce attack surface.

🧯 If You Can't Patch

  • Monitor for suspicious folder deletion activities and implement strict access controls.
  • Isolate affected systems from critical networks and apply network segmentation.

🔍 How to Verify

Check if Vulnerable:

Check agent version in Trend Micro Apex One console and compare with patched versions from vendor advisory.

Check Version:

On Windows: Check agent version via Trend Micro Apex One interface or system logs.

Verify Fix Applied:

Verify agent version is updated to patched version and test for vulnerability via controlled environment if possible.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected folder deletion events in system or application logs.
  • Anomalous updater process activities.

Network Indicators:

  • No direct network indicators as it's a local exploit.

SIEM Query:

Example: Event logs showing 'delete' operations from Trend Micro agent processes outside normal updates.

📊 Metadata

CVE ID: CVE-2023-52094
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
Published: January 23, 2024
Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52094, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)