According to a security bulletin by Trend Micro, multiple critical vulnerabilities were recently discovered with the company’s Apex One and OfficeScan XG products. Two of the vulnerabilities (CVE-2020-8467 and CVE-2020-8468) were considered to be zero-days due to observed exploit attempts prior to patch availability. Three other vulnerabilities (CVE-2020-8470, CVE-2020-8598, and CVE-2020-8599) were detailed in the report as well–all with a Common Vulnerability Scoring System (CVSS) rating of 10 out of 10, the most severe score. There was no indication given that these three vulnerabilities had been exploited in the wild yet.
CVE-2020-8470 details a vulnerable service that can be abused to delete any file on the host with SYSTEM-level privileges. No authentication is required to exploit the service. CVE-2020-8598 also describes a vulnerable service DLL; this service can be abused remotely without authentication to execute code with SYSTEM-level privileges. The last vulnerability described in the bulletin, CVE-2020-8599, allows unauthenticated attackers to write data to any path on the system.