Trend Micro Control Manager vulnerable to SQL injection


Trend Micro Control Manager contains multiple SQL injection vulnerabilities.

This advisory refers to the vulnerabilities that are disclosed on the TippingPoint Zero Day Initiative advisories listed below.

TippingPoint Zero Day Initiative

ZDI-17-180, ZDI-17-181, ZDI-17-182, ZDI-17-183, ZDI-17-184, ZDI-17-185, ZDI-17-186
CVSS Severity (What is CVSS?)

Affected Products

Trend Micro, Inc.
  • Trend Micro Control Manager Version 6.0 prior to build 3506


* An unauthenticated user may access and read files stored on the server
* A remote attacker may execute arbitrary code, escalate privilege or perform directory traversal attacks
* A remote attacker may cause SQL injection attacks and upload/execute arbitrary code

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released Trend Micro Control Manager 6.0 Service Pack 3 Patch 2 Critical Patch (build 3506) to address these vulnerabilities.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

CVE (What is CVE?)


  1. JVN : JVNVU#91290407
  2. Related Information : Zero Day Initiative
  3. Related Information : ZDI-17-180
  4. Related Information : ZDI-17-181
  5. Related Information : ZDI-17-182
  6. Related Information : ZDI-17-183
  7. Related Information : ZDI-17-184
  8. Related Information : ZDI-17-185
  9. Related Information : ZDI-17-186
Revision History

  • [2018/01/17]
      Web page was published