Immediate patching urged for exploited Trend Micro Apex One RCE

Trend Micro Apex One customers have been warned by the security software provider to immediately apply fixes to an actively abused security flaw, tracked as CVE-2022-40139, which could enable remote execution of arbitrary code on unpatched instances, reports BleepingComputer. "Trend Micro has observed at least one active attempt of potential exploitation of this vulnerability in the wild. Customers are strongly encouraged to update to the latest versions as soon as possible," said the company, which noted that the flaw stemmed from improper validation of certain rollback mechanism components within Trend Micro Apex One and Trend Micro Apex One as a Service. Aside from the actively exploited bug, Trend Micro has also fixed a high-severity Apex One flaw, tracked as CVE-2022-40144, which could facilitate authentication bypass. "Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible," said Trend Micro.