CVE-2019-20358
Description
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed. Another attack vector similar to CVE-2019-9491 was idenitfied and resolved in version 1.62.0.1228 of the tool.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trend Micro Anti-Threat Toolkit (ATTK) versions ≤1.62.0.1218 allow an attacker to place malicious files in the same directory, leading to potential RCE when executed.
Vulnerability
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below contain a vulnerability that may allow an attacker to place malicious files in the same directory as the tool. When the tool is executed, the malicious file may also execute, leading to arbitrary remote code execution (RCE). This is similar to CVE-2019-9491, and was resolved in version 1.62.0.1228 [1].
Exploitation
The attacker needs to have the ability to place a malicious file in the directory where the user will run the ATTK tool. This could be achieved through social engineering or by leveraging another vulnerability to write a file. No user interaction beyond running the tool is required for the payload to execute. The attack vector relies on the tool loading or executing resources from its own directory, which the attacker has compromised.
Impact
Successful exploitation allows the attacker to achieve arbitrary remote code execution (RCE) on the affected system. The attacker gains the ability to execute code within the security context of the user running the ATTK tool, potentially leading to full compromise of the system and data.
Mitigation
Trend Micro released version 1.62.0.1228 of ATTK to address this vulnerability. Users should update to this fixed version or later. No workarounds are documented. The vulnerability is not listed on the CISA KEV catalog as of the published date. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 1.62.0.1218+ 1 more
- (no CPE)range: <= 1.62.0.1218
- (no CPE)range: Version 1.62.0.1218 and below
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- seclists.org/fulldisclosure/2020/Jan/50mitremailing-listx_refsource_FULLDISC
- seclists.org/bugtraq/2020/Jan/55mitrex_refsource_MISC
- success.trendmicro.com/solution/000149878mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.