CVE-2024-48904

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 22, 2024 / Updated: 28d ago

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

Summary

An command injection vulnerability in Trend Micro Cloud Edge could allow a remote attacker to execute arbitrary code on affected appliances. Authentication is not required in order to exploit this vulnerability.

Impact

This vulnerability has a critical severity with a CVSS v3.1 base score of 9.8. It allows for remote code execution without requiring authentication. The impact is severe across all three main security objectives: 1. Confidentiality: High impact, potentially allowing attackers to access sensitive information. 2. Integrity: High impact, enabling attackers to modify data or systems. 3. Availability: High impact, possibly leading to system downtime or denial of service. The attack vector is network-based, requires no user interaction, and has low attack complexity, making it relatively easy for attackers to exploit.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there is no explicit mention of a patch being available. The security team should check with Trend Micro for the latest security updates or patches for Cloud Edge.

Mitigation

Given the critical nature of this vulnerability, the following mitigation steps are recommended: 1. Immediately isolate affected Trend Micro Cloud Edge appliances from the network if possible. 2. Apply any available security patches or updates from Trend Micro as soon as they become available. 3. Implement strong network segmentation to limit potential attacker access to the vulnerable systems. 4. Monitor systems for any signs of exploitation or unusual activity. 5. Consider implementing additional network security controls such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) to help detect and block potential exploitation attempts. 6. Regularly check for and apply security updates for all Trend Micro products, especially Cloud Edge. 7. If patches are not immediately available, consult with Trend Micro for any temporary mitigation measures or workarounds.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-48904. See article

Oct 17, 2024 at 4:49 AM / Latest Newsroom
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 17, 2024 at 4:49 AM
CVE Assignment

NVD published the first details for CVE-2024-48904

Oct 22, 2024 at 7:15 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 22, 2024 at 7:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.2%)

Oct 23, 2024 at 2:07 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 17.6%)

Nov 15, 2024 at 4:27 PM
Static CVE Timeline Graph

Affected Systems

Trendmicro/cloud_edge
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

Command injection vulnerability in Trend Micro Cloud Edge
Trend Micro Incorporated has released a security update for Cloud Edge to fix a command injection vulnerability (CVE-2024-48904). Command injection vulnerability in Trend Micro Cloud Edge
Command injection vulnerability in Trend Micro Cloud Edge
Trend Micro Incorporated has released a security update for Cloud Edge to fix a command injection vulnerability (CVE-2024-48904). Trend Micro Incorporated has released a security update for Cloud Edge.
THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21
Severe Cryptographic Flaws in 5 Cloud Storage Providers: Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. CISA, FBI Investigating Salt Typhoon Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating “the unauthorized access to commercial telecommunications infrastructure” by threat actors linked to China.
THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 - Oct 27)
Severe Cryptographic Flaws in 5 Cloud Storage Providers: Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. CISA, FBI Investigating Salt Typhoon Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China.
THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 - Oct 27)
Severe Cryptographic Flaws in 5 Cloud Storage Providers: Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext. CISA, FBI Investigating Salt Typhoon Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the U.S. government is investigating "the unauthorized access to commercial telecommunications infrastructure" by threat actors linked to China.
See 24 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI