What is Trend Micro Apex One and OfficeScan?
Trend Micro Apex One (and its predecessor OfficeScan) is Trend Micro's enterprise endpoint protection platform used by organizations to centrally manage endpoint security across all managed workstations and servers. The Apex One Management Server is the hub through which security policies, threat signatures, and configuration changes flow to every managed endpoint. Unauthenticated access to the management server grants the ability to control every security agent in the deployment — disabling protection, modifying policies, or pivoting to managed endpoints — making authentication bypass in this product class one of the most severe possible outcomes.
Overview
CVE-2020-8599 is a critical (CVSS 9.8) authentication bypass vulnerability in the Trend Micro Apex One and OfficeScan management server. The server contains a vulnerable executable that a remote unauthenticated attacker can interact with to bypass root login authentication, effectively gaining admin-level access to the management console without credentials. Trend Micro confirmed active exploitation at the time of the March 2020 advisory, noting that CVE-2020-8599 was chained with CVE-2020-8467 (migration tool RCE) to produce a fully unauthenticated remote code execution chain against the management server. This is the most severe vulnerability in the March 2020 batch and the initial access vector that unlocks the full attack chain.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Trend Micro Apex One (On-Premise) | All builds prior to March 2020 patch | Apply Critical Patch from March 2020 advisory |
| Trend Micro OfficeScan XG SP1 | All builds prior to March 2020 patch | Apply Critical Patch from March 2020 advisory |
Technical Details
The Apex One and OfficeScan management server includes a vulnerable EXE component that exposes a network-accessible interface without enforcing proper authentication. A remote attacker can interact with this component to write data to a server-side path and bypass the normal authentication requirement for root/admin access to the management console.
The CVSS 9.8 score (AV:N/AC:L/PR:N/UI:N) represents the most accessible class of network vulnerability: exploitable remotely, no complexity required, and requiring no prior credentials or user interaction. Once authentication is bypassed, the attacker gains management console access equivalent to a full administrator, providing control over all endpoint agents managed by this server.
Attack chain with CVE-2020-8467: The confirmed exploitation pattern uses:
- CVE-2020-8599 — bypass authentication to obtain admin access
- CVE-2020-8467 — use the admin session to trigger the migration tool RCE and execute arbitrary code on the server
The result is unauthenticated remote code execution on the management server, with downstream access to all managed endpoints.
Discovery
Trend Micro identified active exploitation of CVE-2020-8599 prior to publishing the March 2020 advisory. No external researcher was publicly credited with the initial discovery.
Exploitation Context
Trend Micro confirmed active in-the-wild exploitation of CVE-2020-8599 chained with CVE-2020-8467 at the time of the March 2020 advisory — an unusually direct confirmation of zero-day exploitation at patch time. The combined chain provided unauthenticated RCE against the Apex One/OfficeScan management server. CISA added CVE-2020-8599 to the KEV catalog on November 3, 2021. No specific threat actor group or campaign has been publicly attributed.
Remediation
- Apply the Critical Patch from Trend Micro's March 2020 advisory for Apex One and OfficeScan XG SP1 immediately — this is the most critical patch in the batch.
- Also apply fixes for CVE-2020-8467 (RCE) and CVE-2020-8468 (content validation escape) to fully close the attack surface.
- Immediately restrict the Apex One/OfficeScan management server to trusted administrative IP ranges — the server must never be internet-accessible.
- Treat any Apex One/OfficeScan server that was internet-accessible before the patch as potentially compromised; audit the server and all managed endpoint configurations for unauthorized changes.
- Rotate all credentials stored on or accessible from the management server.
See Also
This CVE is part of a sustained pattern of Trend Micro endpoint security management console vulnerabilities in CISA KEV spanning 2019–2026. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-8599 |
| Vendor / Product | Trend Micro — Apex One and OfficeScan |
| NVD Published | 2020-03-18 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-03-18 | Trend Micro publishes advisory patching CVE-2020-8599 alongside CVE-2020-8467 and CVE-2020-8468; active exploitation of CVE-2020-8599 + CVE-2020-8467 chain confirmed at time of advisory |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2020-8599 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |