VYPR

Vendor CVEs

Trend Micro

All CVEs

696 total · sorted by risk
  • CVE-2017-11397HigDec 16, 2017
    risk 0.51cvss 7.8epss 0.02

    A service DLL preloading vulnerability in Trend Micro Encryption for Email versions 5.6 and below could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

  • CVE-2017-9036HigMay 26, 2017
    risk 0.51cvss 7.8epss 0.01

    Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows local users to gain privileges by leveraging an unrestricted quarantine directory.

  • CVE-2017-6798HigMar 10, 2017
    risk 0.51cvss 7.8epss 0.04

    Trend Micro Endpoint Sensor 1.6 before b1290 has a DLL hijacking vulnerability that allows remote attackers to execute arbitrary code, aka Trend Micro Vulnerability Identifier 2015-0208.

  • CVE-2016-6268HigJan 30, 2017
    risk 0.51cvss 7.8epss 0.01

    Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows local webserv users to execute arbitrary code with root privileges via a Trojan horse .war file in the Solr webapps directory.

  • CVE-2017-11387HigAug 2, 2017
    risk 0.50cvss 7.5epss 0.15

    Authentication Bypass in Trend Micro Control Manager 6.0 causes Information Disclosure when authentication validation is not done for functionality that can change debug logging level. Formerly ZDI-CAN-4512.

  • CVE-2016-5840HigJun 30, 2016
    risk 0.50cvss 7.2epss 0.08

    hotfix_upload.cgi in Trend Micro Deep Discovery Inspector (DDI) 3.7, 3.8 SP1 (3.81), and 3.8 SP2 (3.82) allows remote administrators to execute arbitrary code via shell metacharacters in the filename parameter of the Content-Disposition header.

  • CVE-2025-27582HigJul 14, 2025
    risk 0.49cvss 7.6epss 0.00

    The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the…

  • CVE-2018-10512HigAug 15, 2018
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) could allow an attacker to manipulate a reverse proxy .dll on vulnerable installations, which may lead to a denial of server (DoS).

  • CVE-2018-6237HigMay 25, 2018
    risk 0.49cvss 7.5epss 0.06

    A vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow an unauthenticated remote attacker to manipulate the product to send a large number of specially crafted HTTP requests to potentially cause the file system to fill up, eventually causing a denial…

  • CVE-2017-14082HigJan 19, 2018
    risk 0.49cvss 7.5epss 0.04

    An uninitialized pointer information disclosure vulnerability in Trend Micro Mobile Security (Enterprise) versions 9.7 and below could allow an unauthenticated remote attacker to disclosure sensitive information on a vulnerable system.

  • CVE-2017-14091HigDec 16, 2017
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which certain specific installations that utilize a uncommon feature - Other Update Sources - could be exploited to overwrite sensitive files in the ScanMail for Exchange directory.

  • CVE-2016-6220HigAug 7, 2017
    risk 0.49cvss 7.5epss 0.05

    Information Disclosure vulnerability in the Dashboard and Error Pages in Trend Micro Control Manager SP3 6.0.

  • CVE-2017-11382HigAug 3, 2017
    risk 0.49cvss 7.5epss 0.02

    Denial of Service vulnerability in Trend Micro Deep Discovery Email Inspector 2.5.1 allows remote attackers to delete arbitrary files on vulnerable installations, thus disabling the service. Formerly ZDI-CAN-4350.

  • CVE-2017-11390HigAug 2, 2017
    risk 0.49cvss 7.5epss 0.02

    XML external entity (XXE) processing vulnerability in Trend Micro Control Manager 6.0, if exploited, could lead to information disclosure. Formerly ZDI-CAN-4706.

  • CVE-2017-11379HigAug 1, 2017
    risk 0.49cvss 7.5epss 0.00

    Configuration and database backup archives are not signed or validated in Trend Micro Deep Discovery Director 1.1.

  • CVE-2017-9035HigMay 26, 2017
    risk 0.48cvss 7.4epss 0.04

    Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attackers to eavesdrop and tamper with updates by leveraging unencrypted communications with update servers.

  • CVE-2016-8588HigApr 28, 2017
    risk 0.48cvss 7.3epss 0.02

    The hotfix_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via shell metacharacters in the file name of an uploaded file.

  • CVE-2016-8587HigApr 28, 2017
    risk 0.48cvss 7.3epss 0.02

    dlp_policy_upload.cgi in Trend Micro Threat Discovery Appliance 2.6.1062r1 and earlier allows remote authenticated users to execute arbitrary code via an archive file containing a symlink to /eng_ptn_stores/prod/sensorSDK/data/ or /eng_ptn_stores/prod/sensorSDK/backup_pol/.

  • CVE-2016-3664HigMay 23, 2016
    risk 0.48cvss 7.4epss 0.01

    Trend Micro Mobile Security for iOS before 3.2.1188 does not verify the X.509 certificate of the mobile application login server, which allows man-in-the-middle attackers to spoof this server and obtain sensitive information via a crafted certificate.

  • CVE-2018-6230MedMar 15, 2018
    risk 0.47cvss 6.8epss 0.03

    A SQL injection vulnerability in an Trend Micro Email Encryption Gateway 5.5 search configuration script could allow an attacker to execute SQL commands to upload and execute arbitrary code that may harm the target system.

  • CVE-2017-11396HigSep 22, 2017
    risk 0.47cvss 7.2epss 0.03

    Vulnerability issues with the web service inspection of input parameters in Trend Micro Web Security Virtual Appliance 6.5 may allow potential attackers who already have administration rights to the console to implement remote code injections.

  • CVE-2025-71215HigMay 21, 2026
    risk 0.46cvss 7.0epss 0.00

    A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute…

  • CVE-2018-6236HigMay 25, 2018
    risk 0.46cvss 7.0epss 0.00

    A Time-of-Check Time-of-Use privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222813 by the tmusa driver. An attacker must…

  • CVE-2018-10355HigMay 23, 2018
    risk 0.46cvss 7.0epss 0.01

    An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to the user database on the target system…

  • CVE-2018-6219MedMar 15, 2018
    risk 0.46cvss 6.5epss 0.04

    An Insecure Update via HTTP vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to eavesdrop and tamper with certain types of update data.

  • CVE-2018-6218HigFeb 16, 2018
    risk 0.46cvss 7.0epss 0.02

    A DLL Hijacking vulnerability in Trend Micro's User-Mode Hooking Module (UMH) could allow an attacker to run arbitrary code on a vulnerable system.

  • CVE-2017-14088HigOct 6, 2017
    risk 0.46cvss 7.0epss 0.01

    Memory Corruption Privilege Escalation vulnerabilities in Trend Micro OfficeScan 11.0 and XG allows local attackers to execute arbitrary code and escalate privileges to resources normally reserved for the kernel on vulnerable installations by exploiting tmwfp.sys. An attacker…

  • CVE-2017-6339MedApr 5, 2017
    risk 0.46cvss 6.5epss 0.04

    Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 mismanages certain key and certificate data. Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically generates digital certificates that are sent to…

  • CVE-2017-6338MedApr 5, 2017
    risk 0.46cvss 6.5epss 0.04

    Multiple Access Control issues in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 allow an authenticated, remote user with low privileges like 'Reports Only' or 'Auditor' to change FTP Access Control Settings, create or modify reports, or upload…

  • CVE-2017-5565MedMar 21, 2017
    risk 0.44cvss 6.7epss 0.01

    Code injection vulnerability in Trend Micro Maximum Security 11.0 (and earlier), Internet Security 11.0 (and earlier), and Antivirus+ Security 11.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any…

  • CVE-2017-14096MedJan 19, 2018
    risk 0.43cvss 6.1epss 0.03

    A stored cross site scripting (XSS) vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to execute a malicious payload on vulnerable systems.

  • CVE-2017-7896MedApr 18, 2017
    risk 0.43cvss 6.1epss 0.04

    Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS.

  • CVE-2016-1225MedJun 19, 2016
    risk 0.43cvss 6.5epss 0.03

    Trend Micro Internet Security 8 and 10 allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2018-10353MedMay 23, 2018
    risk 0.42cvss 6.5epss 0.01

    A SQL injection information disclosure vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow a remote attacker to disclose sensitive information on vulnerable installations due to a flaw in the formChangePass class. Authentication is required to exploit this…

  • CVE-2018-3600MedFeb 9, 2018
    risk 0.42cvss 6.5epss 0.02

    A external entity processing information disclosure (XXE) vulnerability in Trend Micro Control Manager 6.0 could allow a remote attacker to disclose sensitive information on vulnerable installations.

  • CVE-2018-10505MedJun 8, 2018
    risk 0.41cvss 6.3epss 0.00

    A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x220008 in the TMWFP driver. An attacker must first obtain…

  • CVE-2018-10359MedJun 8, 2018
    risk 0.41cvss 6.3epss 0.00

    A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x220078 in the TMWFP driver. An attacker must first obtain…

  • CVE-2018-10358MedJun 8, 2018
    risk 0.41cvss 6.3epss 0.00

    A pool corruption privilege escalation vulnerability in Trend Micro OfficeScan 11.0 SP1 and XG could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within the processing of IOCTL 0x2200B4 in the TMWFP driver. An attacker must first obtain…

  • CVE-2017-14093MedDec 16, 2017
    risk 0.40cvss 6.1epss 0.01

    The Log Query and Quarantine Query pages in Trend Micro ScanMail for Exchange 12.0 are vulnerable to cross site scripting (XSS) attacks.

  • CVE-2017-9037MedMay 26, 2017
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allow remote attackers to inject arbitrary web script or HTML via the (1) S44, (2) S5, (3) S_action_fail, (4) S_ptn_update, (5) T113, (6) T114, (7) T115, (8) T117117,…

  • CVE-2017-9032MedMay 26, 2017
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro ServerProtect for Linux 3.0 before CP 1531 allow remote attackers to inject arbitrary web script or HTML via the (1) T1 or (2) tmLastConfigFileModifiedDate parameter to log_management.cgi.

  • CVE-2017-8801MedMay 5, 2017
    risk 0.40cvss 6.1epss 0.01

    Trend Micro OfficeScan 11.0 before SP1 CP 6325 (with Agent Module Build before 6152) and XG before CP 1352 has XSS via a crafted URI using a blocked website.

  • CVE-2016-1226MedJun 19, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in Trend Micro Internet Security 8 and 10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2016-1224MedJun 19, 2016
    risk 0.40cvss 6.1epss 0.02

    CRLF injection vulnerability in Trend Micro Worry-Free Business Security Service 5.x and Worry-Free Business Security 9.0 allows remote attackers to inject arbitrary HTTP headers and conduct cross-site scripting (XSS) attacks via unspecified vectors.

  • CVE-2018-6227MedMar 15, 2018
    risk 0.38cvss 5.4epss 0.02

    A stored cross-site scripting (XSS) vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject client-side scripts into vulnerable systems.

  • CVE-2018-6226MedMar 15, 2018
    risk 0.38cvss 5.4epss 0.02

    Reflected cross-site scripting (XSS) vulnerabilities in two Trend Micro Email Encryption Gateway 5.5 configuration files could allow an attacker to inject client-side scripts into vulnerable systems.

  • CVE-2017-14085MedOct 6, 2017
    risk 0.38cvss 5.3epss 0.06

    Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 and XG may allow unauthenticated users who can access the OfficeScan server to query the network's NT domain or the PHP version and modules.

  • CVE-2017-6340MedApr 5, 2017
    risk 0.38cvss 5.4epss 0.02

    Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect…

  • CVE-2016-9319MedMar 31, 2017
    risk 0.38cvss 5.9epss 0.01

    There is Missing SSL Certificate Validation in the Trend Micro Enterprise Mobile Security Android Application before 9.7.1193, aka VRTS-398.

  • CVE-2016-9316MedFeb 21, 2017
    risk 0.38cvss 5.4epss 0.03

    Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least…

Page 3 of 14