Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,19 +1,37 @@
{
"schema_version": "1.4.0",
"id": "GHSA-rjc8-fqvx-g34c",
"modified": "2026-05-21T15:34:09Z",
"modified": "2026-05-21T15:34:18Z",
"published": "2026-05-21T15:34:09Z",
"aliases": [
"CVE-2025-71215"
],
"details": "A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release).",
"summary": "Local Privilege Escalation via iCore TOCTOU Race Condition in Trend Micro Apex One (macOS)",
"details": "### Summary\nA Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability exists in the `iCore` service signature verification routine of the Trend Micro Apex One (macOS) security agent. The application fails to maintain atomic file operations during executable and configuration validation stages. \n\n### Impact\nA local attacker who has already obtained low-privileged code execution capabilities on the host endpoint can exploit this vulnerability. By strategically altering targeted symbolic links or modifying file payloads between the moment the `iCore` service validates a signature file (the check) and the moment it executes or applies it (the use), the attacker can hijack the privileged operation loop. Successful exploitation allows the attacker to execute arbitrary system code with elevated system root privileges.\n\n### Remediation\nThis vulnerability affects legacy local client deployments. It was fully addressed by the vendor in mid-to-late 2025:\n* **SaaS Deployments:** Upgraded automatically starting with the **SaaS 2507** cloud tenant milestone.\n* **On-Premise Managed Agents:** Ensure clients have synchronized via ActiveUpdate to receive the **2005 Yearly Release** updates (or newer engine/signature versions equivalent to Patch Build 14136).",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
}
],
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "Trend_Micro_Apex_One_(macOS-Security-Agent)"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
}
],
"affected": [],
"references": [
{
"type": "ADVISORY",
Expand Down