Trend Micro has fixed two actively exploited zero-day vulnerabilities in its Apex One and OfficeScan XG enterprise security products, and advises customers to update to the latest software versions as soon as possible.
The two zero-days are:
In both cases, attackers must authenticate to the target endpoint with valid, compromised credentials before attempting exploitation, which means that these flaws are likely to have been exploited by attackers who have already found their way into the enterprise network.
Affected versions Apex One 2019 (on premise) for Windows and OfficeScan XG SP1 and XG for Windows. Fixes have been implemented in:
In addition to these two zero-days, three additional critical security holes (CVE-2020-8470, CVE-2020-8598 and CVE-2020-8599) have been plugged in these updates. These allow remote attacks without authentication, but Trend Micro has not observed any attempted exploits of those vulnerabilities.
The company did not share the nature of the in-the-wild attacks.
Before this, back in October 2019, Trend Micro fixed CVE-2019-18187, a vulnerability affecting OfficeScan, that has been used by a Chinese hacker group that breached Mitsubishi Electric.