CVE-2020-24557 Overview
A privilege escalation vulnerability exists in Trend Micro Apex One and Worry-Free Business Security 10.0 SP1 on Microsoft Windows that allows an attacker to manipulate a specific product folder to temporarily disable security protections. By abusing a Windows function related to hard links, an attacker with low-privileged code execution on the target system can escalate their privileges to gain elevated access. This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities Catalog.
Critical Impact
This vulnerability enables local privilege escalation through folder manipulation and hard link abuse, allowing attackers to disable security features and gain elevated system access. Active exploitation has been confirmed in the wild.
Affected Products
- Trend Micro Apex One 2019
- Trend Micro Apex One SaaS
- Trend Micro Worry-Free Business Security 10.0 SP1
- Microsoft Windows (versions prior to 1909 Build 18363.719)
Discovery Timeline
- 2020-09-01 - CVE-2020-24557 published to NVD
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2020-24557
Vulnerability Analysis
This vulnerability represents a local privilege escalation attack vector that exploits improper handling of product folder permissions in Trend Micro's security products. The flaw allows an attacker who has already gained low-privileged access to the target system to manipulate specific folders used by Apex One or Worry-Free Business Security. Through this manipulation, the attacker can temporarily disable security features and leverage Windows hard link functionality to escalate privileges.
The attack requires local access and the ability to execute code with low privileges, making it particularly dangerous in post-exploitation scenarios where an attacker has already established a foothold on the system.
Root Cause
The root cause stems from improper access control mechanisms governing product folders within the Trend Micro security applications. The vulnerability allows unauthorized manipulation of these folders, which can be combined with Windows hard link functionality to bypass security controls. Microsoft addressed the hard link aspect in Windows 10 version 1909 (OS Build 18363.719), but earlier Windows versions remain susceptible to this attack technique.
Attack Vector
The attack is executed locally and requires the attacker to first obtain the ability to run low-privileged code on the target system. The exploitation process involves:
- Gaining initial low-privileged access to the target Windows system
- Identifying and manipulating the vulnerable product folder within Trend Micro's installation
- Abusing Windows hard link functionality to achieve privilege escalation
- Temporarily disabling security protections to maintain elevated access
The local attack vector combined with low privilege requirements and no user interaction needed makes this vulnerability particularly exploitable once an attacker has initial system access.
Detection Methods for CVE-2020-24557
Indicators of Compromise
- Unexpected modifications to Trend Micro Apex One or Worry-Free Business Security installation directories
- Creation of suspicious hard links pointing to system or security product folders
- Temporary disabling or unexpected stoppage of Trend Micro security services
- Evidence of privilege escalation attempts from low-privileged user accounts
Detection Strategies
- Monitor file system activity for hard link creation targeting Trend Micro product folders
- Implement endpoint detection rules for unauthorized modifications to security product directories
- Configure alerts for unexpected changes to Trend Micro service states or configurations
- Analyze Windows Security event logs for privilege escalation patterns following folder manipulation
Monitoring Recommendations
- Enable detailed file auditing on Trend Micro installation directories (C:\Program Files\Trend Micro\)
- Configure SIEM rules to correlate folder manipulation events with subsequent privilege escalation indicators
- Monitor process creation events for low-privileged users spawning high-privileged processes
- Review system logs for evidence of security service interruptions or tampering
How to Mitigate CVE-2020-24557
Immediate Actions Required
- Apply the latest security patches from Trend Micro for Apex One and Worry-Free Business Security immediately
- Upgrade Windows systems to version 1909 (OS Build 18363.719) or later to mitigate the hard link attack vector
- Review and restrict access permissions on Trend Micro product folders
- Audit systems for signs of prior exploitation or unauthorized privilege escalation
Patch Information
Trend Micro has released security patches addressing this vulnerability. Administrators should consult the official vendor advisories for detailed patch information:
- Trend Micro Solution 000263632 - Original security bulletin
- Trend Micro Solution 000267260 - Additional guidance and updates
For detailed technical analysis, refer to the Zero Day Initiative Advisory ZDI-20-1094.
This vulnerability is tracked in the CISA Known Exploited Vulnerabilities Catalog.
Workarounds
- Restrict local access to systems running vulnerable Trend Micro products until patches can be applied
- Implement application whitelisting to prevent unauthorized executables from running on affected systems
- Upgrade Windows operating systems to version 1909 or later as an interim mitigation for the hard link attack technique
- Enhance monitoring of security product directories and service states to detect exploitation attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
