Trend Micro Apex One customers have been warned by the security software provider to immediately apply fixes to an actively abused security flaw, tracked as CVE-2022-40139, which could enable remote execution of arbitrary code on unpatched instances, reports BleepingComputer.
"Trend Micro has observed at least one active attempt of potential exploitation of this vulnerability in the wild. Customers are strongly encouraged to update to the latest versions as soon as possible," said the company, which noted that the flaw stemmed from improper validation of certain rollback mechanism components within Trend Micro Apex One and Trend Micro Apex One as a Service.
Aside from the actively exploited bug, Trend Micro has also fixed a high-severity Apex One flaw, tracked as CVE-2022-40144, which could facilitate authentication bypass.
"Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible," said Trend Micro.
CyberScoop reports that federal civilian agencies have been ordered by the Cybersecurity and Infrastructure Security Agency to provide regular reports on software vulnerabilities as part of a new directive aimed at improving vulnerability detection and asset visibility in federal networks.