Exploitation for Priv-Esc × Trend Micro Deep Security Agent 20

A publicly-reported instance of Exploitation for Priv-Esc bypassing Trend Micro Deep Security Agent 20, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Trend Micro Deep Security Agent 20

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-11-18

Config / version noted

Not stated

Provenance

dbugs.ptsecurity.com
disclosed 2024-11-18 · original source · via exa
rewterz.com
disclosed 2024-11-20 · original source · via exa

Reported as

command injection vulnerability in Trend Micro Deep Security Agent version 20 allows authenticated attackers with low privileges to escalate privileges

Mechanism

OS command injection in the manual scan feature of the Deep Security Agent. An attacker with low-privileged code execution on the target can inject arbitrary commands, leading to privilege escalation and remote code execution. In domain contexts, domain user privileges enable remote command injection to other agents.

Detection & mitigation

Monitor process creation events for suspicious child processes spawned by the Trend Micro Deep Security Agent service (e.g., cmd.exe, powershell.exe) with command-line arguments indicative of injection (e.g., unusual concatenation, encoded commands). Mitigation: Apply vendor patch and restrict agent communication to trusted hosts only.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.