CVE-2020-24557 in Apex Oneinfo

Summary

by MITRE

A vulnerability in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows may allow an attacker to manipulate a particular product folder to disable the security temporarily, abuse a specific Windows function and attain privilege escalation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Please note that version 1909 (OS Build 18363.719) of Microsoft Windows 10 mitigates hard links, but previous versions are affected.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 10/31/2025

This vulnerability resides in Trend Micro Apex One and Worry-Free Business Security version 10.0 SP1 running on Microsoft Windows systems, representing a sophisticated privilege escalation flaw that leverages both product-specific folder manipulation and Windows kernel functions. The security weakness stems from inadequate permission controls within the product's folder structure, specifically allowing manipulation of certain directories that contain critical security components. Attackers can exploit this by first establishing a foothold through low-privileged code execution, then leveraging the compromised folder access to temporarily disable security functions. The vulnerability operates through a combination of hard link manipulation and Windows API abuse, creating a pathway for elevation from user-level privileges to system-level access. This represents a classic case of insufficient access control where the security product itself becomes a vector for privilege escalation rather than a protective barrier.

The technical implementation of this vulnerability involves exploiting a specific Windows function that handles file system operations, particularly focusing on how the security software manages its own directory structures. When an attacker can manipulate the product folder contents, they can effectively bypass the security product's own protective mechanisms by creating symbolic links or hard links that redirect system calls. The Windows operating system's handling of these file system operations creates an opportunity where the security software's own processes become vulnerable to manipulation, as the product does not properly validate or restrict access to its own critical directories. This flaw specifically affects systems running Windows versions prior to 10 version 1909, where hard link restrictions were introduced as a mitigating control, making older versions particularly susceptible to this exploitation technique.

The operational impact of this vulnerability extends beyond simple privilege escalation, as it allows attackers to effectively neutralize the security protections that the Trend Micro products are designed to provide. Once successfully exploited, the attacker gains full system-level privileges, enabling them to access sensitive data, install malware, modify system configurations, or establish persistence mechanisms. The temporary nature of the security disablement means that the attack can be executed without permanent damage to the system, making detection more challenging. This vulnerability directly relates to CWE-276, which addresses incorrect permissions for critical resources, and aligns with ATT&CK technique T1068, which covers privilege escalation through local exploitation. The attack chain typically begins with initial access through social engineering, phishing, or other exploitation vectors, followed by the specific privilege escalation technique that leverages the Trend Micro product's own folder structure.

Mitigation strategies for this vulnerability require a multi-layered approach combining immediate product updates, system hardening, and operational security measures. Organizations should immediately apply the latest Trend Micro patches and updates that address this specific folder manipulation vulnerability. System administrators must implement strict file system permissions on Trend Micro product directories, particularly restricting write access to system-level accounts and preventing user-level processes from modifying critical security folders. Network segmentation and least privilege principles should be enforced to limit the potential impact of successful exploitation, while monitoring systems should be configured to detect unusual file system activities or hard link creation in security product directories. The Windows version 1909 mitigation through hard link restrictions represents a crucial defensive measure that organizations should prioritize when upgrading their operating systems. Additionally, regular security audits should verify that Trend Micro product configurations properly enforce access controls, and endpoint detection and response solutions should be configured to alert on suspicious privilege escalation activities or unusual security product behavior.

Sources

Do you know our Splunk app?

Download it now for free!