CVE-2021-36741

What is Trend Micro Apex One?

Trend Micro Apex One is Trend Micro's enterprise endpoint protection platform (EPP/EDR). Its management server exposes a network interface used to communicate with endpoint agents — receiving telemetry, delivering policy updates, and processing requests from managed agents. Because this communication channel is network-accessible and handles file content, vulnerabilities in its input validation logic can allow an authenticated attacker to upload arbitrary files to the server, potentially including web shells that provide persistent remote access.

Overview

CVE-2021-36741 is an unrestricted file upload vulnerability (CWE-434) in the Trend Micro Apex One management server's agent communication endpoint. An authenticated low-privilege attacker can upload arbitrary files — including server-side script files — to the management server, enabling web shell deployment and persistent remote code execution. Trend Micro confirmed active exploitation at the time of the July 2021 advisory. The vulnerability was disclosed alongside CVE-2021-36742 (an agent-side LPE), with both actively exploited together. CISA added both to KEV in November 2021.

Affected Versions

Technical Details

CWE-434 (Unrestricted Upload of File with Dangerous Type). The Apex One server exposes an agent communication endpoint that accepts file uploads as part of its normal telemetry and agent-update workflow. A flaw in the content type and extension validation allows an attacker to upload files with server-executable extensions that are not restricted by the validator. The server stores the uploaded file in a web-accessible location, and subsequent HTTP requests to that path execute the uploaded web shell with the privileges of the web server process.

The PR:L (Low Privileges Required) rating means an attacker needs a valid low-privilege authenticated session — achievable via stolen credentials, phishing, or by chaining with an auth bypass. The AV:N (Network) vector reflects that the upload endpoint is network-accessible from any host that can reach the management console.

CVE-2021-36742 chain: CVE-2021-36741 (server-side file upload) and CVE-2021-36742 (agent LPE) were confirmed exploited together — the file upload provides server-side code execution, and the LPE provides SYSTEM-level access on managed endpoints.

Discovery

The researcher credited for CVE-2021-36741 is not publicly known. Trend Micro confirmed active exploitation at the time of the July 2021 advisory.

Exploitation Context

Trend Micro confirmed active in-the-wild exploitation of CVE-2021-36741 at the time of the July 2021 advisory. CISA added it to the KEV catalog on November 3, 2021. No specific threat actor group has been publicly attributed. The combination of server-side web shell access (CVE-2021-36741) and endpoint-level LPE (CVE-2021-36742) provides a complete attack chain against the Apex One infrastructure.

Remediation

1. Apply the Critical Patch from Trend Micro advisory 000287819 (Apex One) or 000287820 (Worry-Free Business Security) immediately.
2. Restrict the Apex One management server to trusted administrative networks — the console must not be internet-accessible.
3. Scan the Apex One server web root for unexpected .jsp, .aspx, .php, or other executable files that may have been uploaded as web shells.
4. Review web server access logs on the Apex One server for POST requests to agent communication endpoints from unexpected source IPs.
5. Also apply the fix for CVE-2021-36742 (agent LPE), which was co-exploited with this vulnerability.

See Also

This CVE is part of a sustained pattern of Trend Micro Apex One vulnerabilities in CISA KEV. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.