CVE-2024-36304 – A Time-of-Check Time-of-Use (TOCTOU) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-36304?

CVE-2024-36304 has a CVSS score of 7.8 (HIGH). A Time-of-Check Time-of-Use (TOCTOU) vulnerability in Trend Micro Apex One and Apex One as a Service agents allows local attackers to escalate privileges on affected systems. Attackers must first have low-privileged code execution capability to exploit this flaw. This affects organizations using Trend Micro's Apex One security products.

📋 TL;DR

A Time-of-Check Time-of-Use (TOCTOU) vulnerability in Trend Micro Apex One and Apex One as a Service agents allows local attackers to escalate privileges on affected systems. Attackers must first have low-privileged code execution capability to exploit this flaw. This affects organizations using Trend Micro's Apex One security products.

💻 Affected Systems

Products:

Trend Micro Apex One
Trend Micro Apex One as a Service

Versions: Specific versions not detailed in references; check vendor advisory for exact ranges

Operating Systems: Windows (based on typical Apex One deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects agent installations; requires local access to target system.

📦 What is this software?

Apex One by Trendmicro

View all CVEs affecting Apex One →

Apex One by Trendmicro

View all CVEs affecting Apex One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM/root privileges, enabling complete system compromise, data theft, lateral movement, and persistence.

🟠

Likely Case

Local attacker escalates from limited user to administrative privileges, allowing installation of malware, disabling security controls, and accessing sensitive data.

🟢

If Mitigated

With proper privilege separation and endpoint protection, impact limited to isolated user account compromise.

🌐 Internet-Facing: LOW - Requires local access; cannot be exploited remotely.

🏢 Internal Only: HIGH - Local attackers (including compromised user accounts) can exploit to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local code execution first; TOCTOU race condition exploitation requires precise timing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://success.trendmicro.com/dcx/s/solution/000298063

Restart Required: Yes

Instructions:

1. Access Trend Micro Apex One management console. 2. Check for available updates. 3. Apply security patch for agent. 4. Restart affected systems to complete installation.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Limit local user accounts to minimum necessary privileges to reduce attack surface.

Enable application control

windows

Use application whitelisting to prevent unauthorized code execution.

🧯 If You Can't Patch

Isolate affected systems from critical network segments
Implement strict monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Apex One agent version against vendor advisory; vulnerable if running unpatched version.

Check Version:

Check Apex One console or agent properties for version information

Verify Fix Applied:

Verify agent version matches patched version in vendor advisory and no privilege escalation attempts detected.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with elevated privileges
Security software tampering events
Failed privilege escalation attempts

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=4688 AND NewProcessName contains suspicious AND ParentProcessName contains apex

📊 Metadata

CVE ID: CVE-2024-36304

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-367

Published: June 10, 2024

Last Updated: June 16, 2025

🔗 References

https://success.trendmicro.com/dcx/s/solution/000298063 Broken Link
https://www.zerodayinitiative.com/advisories/ZDI-24-571/ Third Party Advisory
https://success.trendmicro.com/dcx/s/solution/000298063 Broken Link
https://www.zerodayinitiative.com/advisories/ZDI-24-571/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36304, you might also want to check these: