CVE-2023-32554

Vulnerability

CVE-2023-32554 is a Time-of-Check Time-Of-Use (TOCTOU) vulnerability in the Trend Micro Apex One (2019 on-prem) and Apex One as a Service (versions before April 2023 Maintenance) security agent. The issue exists within the Apex One Client Plug-in Service Manager and results from a lack of proper file locking when performing operations on a file, creating a race window [1], [2]. A local attacker must first obtain the ability to execute low-privileged code on the target system [1].

Exploitation

An attacker with low-privileged code execution on the affected system can exploit the race condition in the Client Plug-in Service Manager by timing an operation against a file that is being concurrently accessed without adequate locking. The flaw is triggered locally with low attack complexity; no additional authentication beyond the initial low-privileged foothold is required [2].

Impact

Successful exploitation allows the attacker to leverage the race condition to escalate privileges and execute arbitrary code in the context of SYSTEM, resulting in full compromise of confidentiality, integrity, and availability on the affected endpoint [2].

Mitigation

Trend Micro released fixes: Apex One on-prem should apply SP1 Critical Patch B12024 (build date not specified in reference), and Apex One as a Service customers must apply the April 2023 Maintenance hotfix (Build 202304, Security Agent version 14.0.12105) [1]. No workarounds are documented; applying the latest patch is the only mitigation. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog per available references.