The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory to warn Trend Micro Control Manager customers of an SQL injection vulnerability that affects unpatched versions of the product.
The software doesn’t properly filter user-supplied input within the ad hoc query module. This allows a remote cybercriminal who has access to the Control Manager web interface to conduct an SQL injection attack in order to steal information, cause a denial of service state, or execute arbitrary code.
Trend Micro has been made aware of the issue. As a result, the security hole has been addressed in Trend Micro Control Manager version 5.5 and 6.0 with critical patches.
As a general good practice, US-CERT advises users to only allow connections from trusted networks and hosts because this way they could prevent an attacker from accessing the product’s web interface.