Connect with us

Hi, what are you looking for?



Trend Micro Patches Vulnerabilities in InterScan Messaging Security Product

Trend Micro has patched several vulnerabilities in its InterScan Messaging Security product, including flaws that could have a serious impact.

Trend Micro has patched several vulnerabilities in its InterScan Messaging Security product, including flaws that could have a serious impact.

InterScan Messaging Security is an email and collaboration security product designed to provide protection against spam, phishing and sophisticated attacks. The product has a hybrid SaaS deployment option that combines a gateway virtual appliance with a prefilter to block spam and threats.

Researchers at cybersecurity consultancy SEC Consult discovered that the InterScan Messaging Security Virtual Appliance (IMSVA) is affected by eight types of security issues.

The list includes cross-site request forgery (CSRF), XML external entity (XXE), over-privileged users and services, server-side request forgery (SSRF), local file disclosure, information disclosure, weak password storage, and outdated software components.

One of the most serious vulnerabilities is CVE-2020-27016, a high-severity CSRF issue that can be exploited to modify the product’s policy rules, which, according to SEC Consult, can allow an attacker to bypass malware checks or forward emails to a host they control.

However, in order to exploit this flaw, an attacker needs to convince an authenticated administrator to access a malicious webpage.

SEC Consult also discovered a high-severity XXE vulnerability, tracked as CVE-2020-27017, that can be exploited to read arbitrary local files. While exploitation requires admin privileges, an attacker could achieve this by combining it with the CSRF flaw.

Advertisement. Scroll to continue reading.

The remaining security holes have been rated medium or low severity. One of them can allow an attacker to access files that should only be accessible to users with high privileges. This weakness can be combined with the XXE flaw to access files that are normally only accessible to the root user, such as /etc/shadow, which contains user account information. The other less severe issues could expose sensitive information.

“Some vulnerabilities need administrative access rights or an administrator actively being logged in (such as for CSRF). A standard user account is sufficient in order to exploit the SSRF/file disclosure vulnerability. The information disclosure vulnerability can be exploited without prior authentication and potentially sensitive data such as key material can be obtained,” SEC Consult told SecurityWeek.

SEC Consult said it informed Trend Micro about the vulnerabilities in late April and patches were released on October 9. However, Trend Micro only issued a security bulletin on November 4.

“We are aware of the vulnerabilities found in the IMSVA product and commend SEC Consult for responsibly disclosing them and working closely with us. We have released a critical patch that resolves these vulnerabilities and encourage customers to ensure that their products have been updated to the latest build,” Trend Micro told SecurityWeek in an emailed statement.

Related: Trend Micro Patches More Vulnerabilities in Anti-Threat Toolkit

Related: Trend Micro Patches Two Vulnerabilities Exploited in the Wild

Related: Trend Micro OfficeScan Flaw Apparently Exploited in Mitsubishi Electric Hack

Related: Vulnerabilities Disclosed in Kaspersky, Trend Micro Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.