CVE-2020-8467

What is Trend Micro Apex One and OfficeScan?

Trend Micro Apex One (and its predecessor OfficeScan) is Trend Micro's enterprise endpoint protection platform, used by organizations to centrally manage endpoint security across all managed workstations and servers. The Apex One Management Server receives and processes requests from endpoint agents and administrators; vulnerabilities in its server-side components — including internal tools such as the migration utility — can expose the entire managed endpoint estate to compromise via a single server-side attack.

Overview

CVE-2020-8467 is a remote code execution vulnerability in the migration tool component of Trend Micro Apex One and OfficeScan. An authenticated attacker with low-privilege access can exploit a flaw in the migration utility to achieve arbitrary code execution on the server. In active exploitation observed by Trend Micro and confirmed at the time of the March 2020 advisory, this vulnerability was chained with CVE-2020-8599 — a critical authentication bypass (CVSS 9.8, PR:N) — to achieve unauthenticated remote code execution: CVE-2020-8599 provides admin-level access without credentials, and CVE-2020-8467 then delivers code execution. CISA added it to KEV in November 2021.

Affected Versions

Technical Details

The migration tool component — used during product version upgrades — contains a code injection flaw. The component processes user-supplied data without adequate validation, allowing an attacker to inject and execute arbitrary code in the context of the server process, which runs with elevated privileges.

The PR:L (Low Privileges Required) CVSS rating indicates authentication is required in isolation, but this condition is nullified in practice when combined with CVE-2020-8599 (CVSS 9.8, PR:N), which allows unauthenticated users to gain admin-level access. Trend Micro's March 2020 advisory explicitly confirmed active exploitation of the CVE-2020-8599 + CVE-2020-8467 chain at patch time, indicating threat actors had developed and deployed the two-stage exploit before disclosure.

Discovery

Trend Micro's internal security team identified active exploitation prior to the March 2020 advisory. No external researcher was publicly credited for the initial discovery.

Exploitation Context

Trend Micro confirmed active in-the-wild exploitation of CVE-2020-8467 chained with CVE-2020-8599 at the time of the March 2020 advisory. The combination produced a pre-authentication RCE chain against the Apex One/OfficeScan management console — a critical result since the server has administrative access to all managed endpoints. CISA added CVE-2020-8467 to the KEV catalog on November 3, 2021. No specific threat actor group has been publicly attributed.

Remediation

1. Apply the Critical Patch from Trend Micro's March 2020 advisory for Apex One and OfficeScan XG SP1 immediately.
2. Also apply the fix for CVE-2020-8599 (authentication bypass) — both must be patched to close the unauthenticated RCE chain.
3. Restrict the Apex One Management Server to trusted administrative networks — the console should never be internet-accessible.
4. Review server logs for unexpected requests to the migration tool endpoint predating the March 2020 patch.
5. If the server was potentially compromised, audit all managed endpoint agent configurations for unauthorized policy changes pushed from the server.

See Also

This CVE is part of a sustained pattern of Trend Micro endpoint security management console vulnerabilities in CISA KEV spanning 2019–2026. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.