CVE-2016-6266

Name of the Vulnerable Software and Affected Versions Trend Micro Smart Protection Server versions 2.5 before build 2200 Trend Micro Smart Protection Server versions 2.6 before build 2106 Trend Micro Smart Protection Server versions 3.0 before build 1330

Description The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in certain parameters. This can be done through the host or apikey parameter in a register action, the enable parameter in a save stting action, or the host or apikey parameter in a test connection action.

Recommendations For Trend Micro Smart Protection Server version 2.5 before build 2200, update to build 2200 or later. For Trend Micro Smart Protection Server version 2.6 before build 2106, update to build 2106 or later. For Trend Micro Smart Protection Server version 3.0 before build 1330, update to build 1330 or later. As a temporary workaround, consider restricting access to the ccca ajaxhandler.php file until a patch is available. Avoid using the host, apikey, and enable parameters in the affected actions until the issue is resolved.