vulnerability

Trend Micro Apex One: CVE-2019-18188: Improper Neutralization of Special Elements used in a Command

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	Oct 28, 2019	Apr 29, 2025	Apr 6, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Oct 28, 2019

Added

Apr 29, 2025

Modified

Apr 6, 2026

Description

Trend Micro Apex One could be exploited by an attacker utilizing a command injection vulnerability to extract files from an arbitrary zip file to a specific folder on the Apex One server, which could potentially lead to remote code execution (RCE). The remote process execution is bound to the IUSR account, which has restricted permission and is unable to make major system changes. An attempted attack requires user authentication.

Solution

trend-micro-apex-one-upgrade-latest

References

CWE-77
CVE-2019-18188
https://attackerkb.com/topics/CVE-2019-18188
https://success.trendmicro.com/solution/000151731
https://euvd.enisa.europa.eu/vulnerability/EUVD-2019-7991

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report