CVE-2017-11395

high

Published 2017-09-22 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2

6.5

VIR risk

8.8

Description

Command injection vulnerability in Trend Micro Smart Protection Server (Standalone) 3.1 and 3.2 server administration UI allows attackers with authenticated access to execute arbitrary code on vulnerable installations.

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@trendmicro.com — https://success.trendmicro.com/solution/1117933

Application impact

Vendor	Product	Versions	Fixed
trendmicro	smart_protection_server	`3.1`
trendmicro	smart_protection_server	`3.2`

References

http://www.coresecurity.com/advisories/trend-micro-smart-protection-os-command-injection
http://www.securityfocus.com/bid/100461
https://success.trendmicro.com/solution/1117933
http://www.coresecurity.com/advisories/trend-micro-smart-protection-os-command-injection
http://www.securityfocus.com/bid/100461
https://success.trendmicro.com/solution/1117933

CWEs

CWE-78

Verify integrity in audit chain (admin only). AS-IS.