CVE-2023-41179

What is Trend Micro Apex One?

Trend Micro Apex One is Trend Micro's enterprise endpoint protection platform, providing centralized management of antivirus, EDR, and threat response across all managed endpoints. Among its features is a third-party AV uninstaller — a utility that allows administrators to remotely uninstall competing security products from managed endpoints as part of migration or deployment standardization workflows. This feature executes the specified uninstaller binary with elevated privileges on managed endpoints via the Apex One server's distribution mechanism. The feature's design — an administrator-specified executable running with elevated privileges across managed endpoints — represents an inherent RCE primitive if the validation of the specified executable is insufficient.

Overview

CVE-2023-41179 is a remote code execution vulnerability in Trend Micro Apex One and Worry-Free Business Security rooted in the third-party AV uninstaller feature. An attacker with administrative access to the Apex One management console can specify an arbitrary executable (rather than a legitimate AV uninstaller) as the "uninstaller" to be run on managed endpoints. The server then distributes and executes the attacker-specified binary with elevated privileges on all targeted endpoints. Trend Micro confirmed active in-the-wild exploitation at the time of the September 2023 advisory, and CISA added it to KEV just 48 hours later — one of the fastest KEV additions of 2023, reflecting the severity and immediacy of active exploitation.

Affected Versions

Technical Details

CWE-94 (Improper Control of Generation of Code — Code Injection). The third-party AV uninstaller feature accepts an administrator-specified path to an executable that will be run on managed endpoints as part of the removal workflow. A flaw in how the feature validates the specified executable — or a complete absence of validation — allows the path to point to an arbitrary binary rather than a legitimate AV uninstaller. When the feature executes, it runs the attacker-specified binary with the elevated privileges of the Apex One agent service on all targeted managed endpoints.

The PR:H (High Privileges Required) rating reflects that the attacker must have admin console access — a pre-condition that sophisticated attackers routinely obtain through credential theft, phishing, or prior lateral movement. Once admin access is available, CVE-2023-41179 provides an immediate, clean code execution mechanism across potentially thousands of endpoints simultaneously.

The AV:N (Network) vector reflects that the management console is network-accessible and the execution is directed from the attacker's location to targeted endpoints via the console, without requiring direct network access to the endpoints themselves. A single compromised admin credential can trigger code execution across the entire managed endpoint estate.

Discovery

Trend Micro confirmed active exploitation at the time of the September 2023 advisory. No specific external researcher was publicly credited with the initial vulnerability report.

Exploitation Context

Trend Micro confirmed active in-the-wild exploitation of CVE-2023-41179 at the time of the September 19, 2023 advisory. CISA added it to the KEV catalog just 48 hours later on September 21, 2023 — reflecting both the severity of the exploitation activity and CISA's expedited response to confirmed active zero-day use. This is the most recent entry in the sustained pattern of Trend Micro Apex One management console vulnerabilities in CISA KEV spanning 2019–2023. No specific threat actor group or ransomware campaign has been publicly attributed.

Remediation

1. Apply the Critical Patch from Trend Micro advisory 000294994 immediately for Apex One 2019 (on-premise), Apex One as a Service, and Worry-Free Business Security 10.0 SP1.
2. Until patched: disable or restrict use of the third-party AV uninstaller feature in the Apex One console to prevent exploitation of this specific attack vector.
3. Restrict Apex One console administrative access to dedicated management workstations on isolated, non-internet-accessible networks.
4. Audit all recent third-party AV uninstaller task executions in the Apex One server logs — review for any unexpected executables specified as the "uninstaller" target.
5. Review endpoint execution logs for unexpected process executions that originated from the Apex One agent service around the September 2023 timeframe.

See Also

This CVE is part of a sustained pattern of Trend Micro Apex One management console vulnerabilities in CISA KEV spanning 2019–2026. See Attacking the Defenders: The Persistent Pattern of AV and EDR Products in CISA KEV for analysis of 18 KEV entries across Microsoft Defender, Trend Micro Apex One, McAfee, and Sophos.