CVE-2024-48904 (CVSS 9.8): Critical Command Injection Vulnerability in Trend Micro Cloud Edge
Trend Micro has issued an urgent security bulletin warning users of a critical command injection vulnerability in its Cloud Edge appliance. This vulnerability, tracked as CVE-2024-48904 and assigned a CVSS score of 9.8, could allow a remote attacker to execute arbitrary code on affected devices without authentication.
“An command injection vulnerability in Trend Micro Cloud Edge could allow a remote attacker to execute arbitrary code on affected appliances,” the bulletin states, highlighting the severity of the issue.
Affected versions include Cloud Edge 5.6SP2 and 7.0. Trend Micro has released updated builds to address the vulnerability:
- Cloud Edge: 5.6 SP2 build 3228 & 7.0 build 1081
“These are the minimum recommended version(s) of the patches and/or builds required to address the issue,” the bulletin clarifies. “Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available.”
While exploiting this vulnerability typically requires access to the vulnerable machine, the fact that authentication is not required makes it a serious threat. Trend Micro urges all users to update their Cloud Edge appliances immediately to mitigate the risk of potential attacks.
In addition to patching, Trend Micro recommends reviewing remote access to critical systems and ensuring that security policies and perimeter security are up-to-date.
