CVE-2020-15604
Description
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CWE-494: Update files are not properly verified.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Trend Micro Security 2019 (v15) fails to validate update files, allowing an attacker to trick the client into downloading a malicious update and execute arbitrary code with SYSTEM privileges.
Vulnerability
Trend Micro Security 2019 (v15) and earlier Windows consumer products (Premium Security, Maximum Security, Internet Security, Antivirus+) contain an incomplete SSL server certification validation vulnerability (CWE-494) in the Active Update function. The update files are not properly verified, which could allow an attacker to combine this flaw with another attack (CVE-2020-24560) to serve a malicious update instead of the legitimate one. [1][2][4]
Exploitation
An attacker must be in a position to perform a man-in-the-middle (MITM) attack, for example by placing a rogue wireless LAN access point. The attacker then intercepts the update request from the affected client and delivers a specially crafted update file. No authentication or user interaction is required beyond the normal update process. [1][3]
Impact
Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privilege on the target system. This gives full control over the affected Windows machine. [1][3]
Mitigation
Trend Micro released fixes in version 16 (build 16.0.1405 or later) and version 17 (build 17.0.1150 or later) starting September 2019. Users should upgrade to Trend Micro Security 2020 (v16) or 2021 (v17). No workarounds are provided; no KEV listing found. [2][4]
- ウイルスバスター クラウド (Windows版) に実装された Active Update 機能における複数の脆弱性
- アラート/アドバイザリ:ウイルスバスター クラウドの脆弱性について(CVE-2020-15604/CVE-2020-24560)
- Multiple vulnerabilities in Active Update function implemented in multiple Trend Micro products
- Security Bulletin: Trend Micro Security 2019 (Consumer) Incomplete SSL Server Certification Validation Vulnerability
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: v15
- Range: 2019 (v15)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- helpcenter.trendmicro.com/en-us/article/TMKA-09890mitrex_refsource_MISC
- helpcenter.trendmicro.com/ja-jp/article/TMKA-09673mitrex_refsource_MISC
- jvn.jp/en/jp/JVN60093979/mitrex_refsource_MISC
- jvn.jp/jp/JVN60093979/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.