Trend Micro Apex One/Apex One as a Service Plug-in User Interface Manager incorrect user management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.5 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Trend Micro Apex One and Apex One as a Service. It has been rated as critical. Affected by this vulnerability is an unknown functionality of the component Plug-in User Interface Manager. The manipulation leads to Local Privilege Escalation. This vulnerability is documented as CVE-2024-58105. The attack needs to be performed locally. There is not any exploit available. Upgrading the affected component is advised.
Details
A vulnerability was found in Trend Micro Apex One and Apex One as a Service (version unknown). It has been rated as critical. This issue affects an unknown function of the component Plug-in User Interface Manager. The manipulation with an unknown input leads to a local privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-286. The product does not properly manage a user within its environment. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
A vulnerability in the Trend Micro Apex One Security Agent Plug-in User Interface Manager could allow a local attacker to bypass existing security and execute arbitrary code on affected installations. This CVE address an addtional bypass not covered in CVE-2024-58104. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The advisory is shared at success.trendmicro.com. The identification of this vulnerability is CVE-2024-58105 since 03/25/2025. The exploitation is known to be easy. An attack has to be approached locally. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 08/01/2025).
Upgrading eliminates this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Vendor
Name
License
Website
- Vendor: https://www.trendmicro.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.6VulDB Meta Temp Score: 7.5
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CNA Base Score: 7.3
CNA Vector (trendmicro): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Incorrect user managementCWE: CWE-286
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
03/25/2025 🔍03/25/2025 🔍
03/25/2025 🔍
08/01/2025 🔍
Sources
Vendor: trendmicro.comAdvisory: success.trendmicro.com
Status: Confirmed
CVE: CVE-2024-58105 (🔍)
GCVE (CVE): GCVE-0-2024-58105
GCVE (VulDB): GCVE-100-301301
Entry
Created: 03/25/2025 21:40Updated: 08/01/2025 17:32
Changes: 03/25/2025 21:40 (61), 03/26/2025 10:14 (1), 08/01/2025 17:32 (11)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.