What is Trend Micro Apex One, OfficeScan, and Worry-Free Business Security?
Trend Micro Apex One and OfficeScan are enterprise endpoint protection platforms; Worry-Free Business Security targets SMBs. All three deploy security agents on managed Windows endpoints. These agents run with elevated privileges to perform security functions — scanning, process inspection, and policy enforcement — and they maintain dedicated installation folders and Windows service components that operate with SYSTEM-level authority. Improper access controls on agent-managed resources can allow a low-privilege local attacker to interact with these privileged components in unintended ways, turning the security agent itself into a local privilege escalation vector.
Overview
CVE-2020-24557 is a local privilege escalation vulnerability in the endpoint agents of Trend Micro Apex One, OfficeScan, and Worry-Free Business Security. A low-privilege local attacker can manipulate a specific agent product folder to temporarily disable the endpoint's security protection, then abuse a Windows-specific privilege mechanism to escalate to SYSTEM-level code execution. The vulnerability is agent-side (AV:L — local access required), distinguishing it from the March 2020 server-side vulnerabilities in the same product family. CISA added it to KEV in November 2021.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Trend Micro Apex One (On-Premise) | All builds prior to September 2020 patch | Apply September 2020 Critical Patch |
| Trend Micro OfficeScan XG SP1 | All builds prior to September 2020 patch | Apply September 2020 Critical Patch |
| Trend Micro Worry-Free Business Security | All builds prior to September 2020 patch | Apply September 2020 Critical Patch |
Technical Details
The Trend Micro agent installs components into directories and configures Windows services that run under SYSTEM privileges. A flaw in the access control configuration on one of these product folders allows a low-privilege user to gain write access to a location that should be restricted to SYSTEM or administrators only.
The attack proceeds in two stages:
- Disable protection: The attacker manipulates the writable folder to interfere with the security agent's operation, temporarily disabling real-time protection or self-defense mechanisms.
- Windows privilege abuse: With protection disabled, the attacker exploits a Windows function — such as DLL hijacking or a vulnerable service binary path — that runs in the context of a SYSTEM-privileged component, achieving privilege escalation.
The AV:L/PR:L rating reflects that this requires the attacker to already have a local user session on the target endpoint — it is a post-initial-access LPE technique rather than a remote attack vector. In attack chains, local privilege escalation vulnerabilities in AV agent software are particularly valuable: the security tool's elevated privileges are used to compromise the endpoint more deeply, and targeting the security tool simultaneously degrades its detection capabilities.
Discovery
Trend Micro published the advisory in September 2020. No external researcher was publicly credited.
Exploitation Context
CISA added CVE-2020-24557 to the KEV catalog on November 3, 2021. No specific threat actor group has been publicly attributed. As a post-initial-access LPE that also temporarily disables endpoint protection during exploitation, this vulnerability is well-suited to use in broader attack chains — initial access establishes the low-privilege foothold, CVE-2020-24557 escalates to SYSTEM while blinding the AV agent.
Remediation
- Apply the Trend Micro September 2020 Critical Patch for Apex One, OfficeScan XG SP1, and Worry-Free Business Security.
- Verify agent folder access control lists (ACLs) on managed endpoints to confirm that non-admin users cannot write to agent installation directories.
- Monitor endpoint security logs for sudden protection-state changes (protection disabled events) that could indicate exploitation in progress.
- Apply the principle of least privilege on managed endpoints — ensure standard users do not have unnecessary local filesystem permissions beyond their home directories.
See Also
This CVE is part of a sustained pattern of Trend Micro endpoint security vulnerabilities in CISA KEV spanning 2019–2026. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-24557 |
| Vendor / Product | Trend Micro — Apex One, OfficeScan, and Worry-Free Business Security |
| NVD Published | 2020-09-01 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-09-01 | Trend Micro publishes advisory and patch for CVE-2020-24557 |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2020-24557 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |