CVE-2022-26871

What is Trend Micro Apex Central?

Trend Micro Apex Central (formerly Control Manager) is a centralized security management console that allows IT and security administrators to manage Trend Micro endpoint security products across an organization. It provides policy management, threat visibility, and security product deployment from a single web-based interface. As the central management platform for endpoint security, Apex Central is a high-value target — compromising it gives attackers control over the organization's endpoint security infrastructure.

Overview

CVE-2022-26871 is a pre-authentication arbitrary file upload vulnerability in Trend Micro Apex Central that allows remote code execution. An unauthenticated attacker who can reach the Apex Central web console can upload malicious files without authentication, which are then executed on the server. Trend Micro confirmed active exploitation in the wild in its advisory, and CISA added this to KEV just 2 days after the advisory — one of the fastest KEV additions of 2022. CVSS 9.8. CWE-345 (Insufficient Verification of Data Authenticity).

Affected Versions

Technical Details

The vulnerability (CWE-345) involves insufficient verification of uploaded file content in the Apex Central web console. The management interface includes file upload functionality — likely for importing policies, configurations, or threat intelligence feeds — that fails to properly validate file type, extension, or content before saving and potentially executing the uploaded file.

An unauthenticated attacker can:

1. Identify the unauthenticated file upload endpoint on the Apex Central web interface (typically port 443)
2. Upload a malicious executable or script file (e.g., ASPX/JSP webshell)
3. The file is saved to a web-accessible or executable location on the server
4. The attacker triggers execution by accessing the uploaded file via HTTP

The attack requires no credentials and can be performed from any network location that can reach the Apex Central console — which is often internet-accessible for remote management by IT staff and MSSPs.

Discovery

Trend Micro's own security team identified the vulnerability and confirmed active exploitation before publishing the advisory. The rapid KEV addition and Trend Micro's confirmation of in-the-wild attacks indicates the vulnerability was being exploited by threat actors at the time of disclosure.

Exploitation Context

Security management platforms like Apex Central are extremely valuable attack targets because:

• They have privileged access to all managed endpoint security agents
• Compromising the management server can disable endpoint protection across the entire fleet
• Policy control can be used to whitelist malicious files or disable threat detection
• The server stores security event data and threat intelligence that attackers want to hide from

The threat actor(s) exploiting this vulnerability at the time of disclosure were targeting organizations' security management infrastructure — a "meta-attack" designed to compromise the defenders' tools before conducting the primary attack.

Remediation

1. Apply the patch immediately: Update Apex Central 2019 to Build 6017 or later via the Apex Central console or Trend Micro's update portal.
2. Restrict console access: Limit access to the Apex Central web interface to authorized management networks. The console should not be internet-facing without additional authentication controls (VPN, IP allowlist).
3. Enable multi-factor authentication: Configure MFA for all Apex Central administrator accounts.
4. Verify no webshells were planted: Check the Apex Central web server directory for unexpected files with scripting extensions (.asp, .aspx, .jsp, .php) that could be webshells.
5. Review security event logs: Check Apex Central's audit logs for unauthorized access attempts and changes to endpoint security policies.
6. Verify endpoint protection status: Confirm that managed endpoint agents have not had their protection policies disabled or modified by unauthorized actors.