Published:2012/09/27  Last Updated:2012/09/28

Trend Micro Control Manager vulnerable to SQL injection


Trend Micro Control Manager contains a SQL injection vulnerability.

Products Affected

  • Trend Micro Control Manager prior to (English version)
  • Trend Micro Control Manager prior to (English version)
  • Trend Micro Control Manager prior to (Japanese version)


Trend Micro Control Manager contains a vulnerability in the ad hoc query module, which may result in SQL injection.


An arbitrary SQL command may be executed in the backend database the product is referencing.


Apply a patch
Apply the appropriate patch according to the information provided by the developer.


  1. US-CERT Vulnerability Note VU#950795
    Trend Micro Control Manager adhoc query vulnerability

JPCERT/CC Addendum

VU#950795 is the same vulnerability.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2012.09.27

Measures Conditions Severity
Access Required must be attacked from a local segment, such as Ethernet, Bluetooth, and 802.11 attacks
  • Mid-High
Authentication login caused to be created by an administrator
  • Low-Mid
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity the user must be convinced to take a difficult or suspicious action. If the honest user must have elevated privileges, they are likely to be more suspiciouse
  • High

Description of each analysis measures


Tom Gregory and Mada R Perdhana of Spentera reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2012-2998
JVN iPedia JVNDB-2012-000090

Update History

"References" and "JPCERT/CC Addendum" updated.