CVE-2017-11394 in OfficeScan
Summary
by MITRE
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitrary code on vulnerable installations. The specific flaw can be exploited by parsing the T parameter within Proxy.php. Formerly ZDI-CAN-4544.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/09/2025
The vulnerability identified as CVE-2017-11394 represents a critical command injection flaw within Trend Micro OfficeScan versions 11 and XG (12) that enables remote attackers to execute arbitrary code on affected systems. This vulnerability specifically resides in the proxy functionality of the OfficeScan server component, where the application fails to properly sanitize user input before processing it within command execution contexts. The flaw manifests when the application parses the T parameter within the Proxy.php script, creating an avenue for malicious input to be interpreted and executed as system commands.
This vulnerability directly maps to CWE-77 which describes improper neutralization of special elements used in commands, and more specifically aligns with CWE-94 which covers execution of arbitrary code through code injection. The attack vector leverages the lack of proper input validation and sanitization within the proxy component, allowing an attacker to inject malicious commands through the T parameter that gets processed by the server without adequate security controls. The vulnerability exists because the application does not properly validate or escape user-supplied input before incorporating it into system commands or shell executions.
The operational impact of this vulnerability is severe as it provides remote code execution capabilities without requiring authentication, making it particularly dangerous for enterprise environments. An attacker could leverage this vulnerability to gain full control over the affected OfficeScan server, potentially leading to complete system compromise, data exfiltration, and lateral movement within the network. The vulnerability affects the core proxy functionality that handles network traffic, meaning successful exploitation could allow attackers to intercept, modify, or redirect network communications. This aligns with ATT&CK technique T1059 which covers command and scripting interpreter, specifically focusing on the execution of malicious commands through compromised systems.
Organizations should implement immediate mitigations including applying the vendor-provided patches and updates released for this vulnerability, which would address the input validation issues in the Proxy.php script. Network segmentation and firewall rules should be implemented to restrict access to the OfficeScan server, particularly limiting exposure to the proxy functionality. Additionally, monitoring for unusual network traffic patterns or command execution attempts should be enabled to detect potential exploitation attempts. The vulnerability demonstrates the importance of input validation and sanitization in web applications, particularly those handling proxy functionality where user input directly influences system operations. Security teams should also consider implementing web application firewalls to detect and block malicious parameter injection attempts targeting the affected T parameter in the proxy component.