Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Trend Micro Patches Serious Flaws in Product Used by Companies, Governments

Trend Micro informed customers this week that an update for its InterScan Web Security Virtual Appliance (IWSVA) patches several potentially serious vulnerabilities, including ones that can be exploited to remotely take control of the appliance.

Trend Micro informed customers this week that an update for its InterScan Web Security Virtual Appliance (IWSVA) patches several potentially serious vulnerabilities, including ones that can be exploited to remotely take control of the appliance.

The vulnerabilities were discovered by Wolfgang Ettlinger, a researcher at Austria-based cybersecurity consultancy SEC Consult, and they were reported to Trend Micro in the summer of 2019. However, the vendor only managed to completely patch all of the security holes in late November 2020, with the release of IWSVA 6.5 SP2 CP b1919.

While the validation and patching process took a fairly long time, SEC Consult told SecurityWeek that the Trend Micro PSIRT handled the issue very professionally, “in contrast to other larger companies we have encountered in the past.”

Trend Micro IWSVA is a web gateway that helps enterprises protect their systems against online threats, while also providing real-time visibility and control of employee internet usage.

Ettlinger identified a total of six types of vulnerabilities in the IWSVA product, including CSRF protection bypass, XSS, authorization and authentication bypass, command execution, and command injection issues, a majority of which have been classified as high severity.

SEC Consult told SecurityWeek that it has identified three attack scenarios that can exploit these vulnerabilities. In one of them, an attacker can gain root access to a targeted appliance remotely from the internet by chaining the CSRF and command execution vulnerabilities.

In another scenario, an attacker with access to the HTTP proxy port could exploit the authentication/authorization bypass vulnerabilities and the command execution flaw to take over the appliance as root, without user or admin interaction.

In the third attack scenario described by the company, an attacker with network access to the admin interface could exploit the command injection vulnerability — which affects the login process under certain configurations — to execute arbitrary OS commands on the appliance as a user named “iscan” and possibly elevate privileges.

Advertisement. Scroll to continue reading.

While it’s unclear exactly how many organizations are using the affected Trend Micro product, SEC Consult told SecurityWeek that it has notified cybersecurity agencies in Germany and Austria, and learned that the product is used by major corporations and even government organizations.

SEC Consult has published an advisory containing technical information for each of the vulnerabilities, but the company says it’s not releasing the actual PoC exploits. A video demonstrating an attack has also been made available:

“We are aware of the vulnerabilities found in the IWSVA product and commend SEC Consult for responsibly disclosing them and working closely with us to resolve the issues,” Trend Micro told SecurityWeek in an emailed statement. “We have released a critical patch that resolves these vulnerabilities and the solution is available now. We recommend customers apply the patch and review our bulletin for some additional best practice configuration recommendations.”

Related: Trend Micro OfficeScan Flaw Apparently Exploited in Mitsubishi Electric Hack

Related: Trend Micro Patches Two Vulnerabilities Exploited in the Wild

Related: Trend Micro Patches Vulnerabilities in InterScan Messaging Security Product

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.