What is Trend Micro OfficeScan?
Trend Micro OfficeScan (succeeded by Apex One in 2019) was Trend Micro's flagship enterprise endpoint protection platform, deployed by organizations worldwide to centrally manage antivirus, intrusion detection, and threat response across their endpoint estates. The OfficeScan Management Server provides a web console that administrators use to push policy updates, threat signatures, and configuration changes to endpoint agents. Because the server operates as a trusted distribution point for security configurations across all managed endpoints — and because it stores sensitive configuration files, database credentials, and API keys — it is an especially high-value target. An unauthenticated read of server-side files can expose the credentials needed to further compromise both the security infrastructure and the broader enterprise.
Overview
CVE-2019-18187 is an unauthenticated directory traversal vulnerability in Trend Micro OfficeScan. A remote attacker with no prior credentials can send a specially crafted request that causes the OfficeScan server to extract a zip file to a path that traverses outside the intended directory, allowing arbitrary files to be read from the server filesystem. Sensitive targets include database credentials, API tokens, configuration files, and Active Directory integration settings stored on the server. Trend Micro patched the vulnerability in October 2019, but CISA added it to KEV over two years later in November 2021, indicating ongoing exploitation activity against unpatched servers.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Trend Micro OfficeScan XG | All builds prior to patch | Apply CP 4979 (Build 2101) or later |
| Trend Micro OfficeScan XG SP1 | All builds prior to patch | Apply CP 4979 or later |
Technical Details
CWE-22 (Improper Limitation of a Pathname to a Restricted Directory — "Path Traversal"). The OfficeScan Management Server includes functionality to extract zip archives to server-side directories as part of its update and configuration workflow. A flaw in the path validation logic allows an attacker to supply a crafted zip file containing entries with ../ directory traversal sequences. When the server extracts the archive, it follows these sequences and writes or reads files outside the intended target directory.
The AV:N/PR:N CVSS rating — network-exploitable with no authentication required — reflects that the vulnerable endpoint is accessible over the network without any prior login. The C:H/I:N/A:N breakdown indicates this is a read vulnerability: the attacker can retrieve arbitrary server files but cannot write or execute code directly through this CVE alone. Chaining with a separate write or execution primitive enables full server compromise.
The OfficeScan server typically stores:
- Database connection strings with plaintext credentials
- Active Directory bind credentials used for agent authentication
- API keys for threat intelligence integrations
- Internal network topology information from managed endpoint configurations
Any of these can be leveraged for lateral movement or further privilege escalation within the enterprise.
Discovery
No individual researcher was publicly credited for reporting CVE-2019-18187. Trend Micro published the advisory and patch in October 2019.
Exploitation Context
CISA added CVE-2019-18187 to the KEV catalog on November 3, 2021, nearly two years after the initial patch. This delayed KEV addition reflects ongoing exploitation of the vulnerability against organizations that had not applied the October 2019 patch. No specific threat actor group has been publicly attributed. The vulnerability's unauthenticated nature and the high value of OfficeScan server credentials make it a persistent target for initial-access brokers and financially motivated threat actors targeting enterprise security infrastructure.
Remediation
- Apply the OfficeScan XG Critical Patch (CP 4979 / Build 2101) from the Trend Micro Download Center for all OfficeScan XG and XG SP1 installations.
- Restrict access to the OfficeScan Management Server — the server should not be exposed to the internet or to untrusted network segments.
- Review OfficeScan server logs for evidence of zip extraction operations from unexpected source IPs, particularly any requests predating the patch that may indicate prior compromise.
- Rotate any credentials stored on or accessible from the OfficeScan server (database passwords, AD bind credentials, API keys) if the server may have been reached by unauthorized parties.
- Consider migrating to Trend Micro Apex One, which replaced OfficeScan and received updated security hardening.
See Also
This CVE is part of a sustained pattern of Trend Micro endpoint security management console vulnerabilities in CISA KEV spanning 2019–2026. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2019-18187 |
| Vendor / Product | Trend Micro — OfficeScan |
| NVD Published | 2019-10-28 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2019-10-28 | CVE published; Trend Micro releases patch for OfficeScan XG and OfficeScan XG SP1 |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2019-18187 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| CWE-22 — Improper Limitation of a Pathname to a Restricted Directory | Weakness Classification |