Vulnerability Summary: Trend Micro Mobile Security for Enterprise add_group Name SQL Injection Remote Code Execution Vulnerability - CVE ID: CVE-2017-14078 - CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) - Affected Vendors: Trend Micro - Affected Products: Mobile Security for Enterprise - Vulnerability Details: The vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Mobile Security for Enterprise. The flaw exists in the processing of the 'name' field in the add_group action, which does not properly validate user-supplied strings before using them to construct SQL queries, leading to remote code execution under the SYSTEM context. - Disclosure Timeline: - 2017-05-11: Vulnerability reported to vendor - 2017-09-15: Coordinated public release of advisory - Credit: Steven Seeley (mr_me) of Offensive Security & Roberto Suggi Liverani (@malerisch) - CVSS Score Detail: AV:N (Attack Vector: Network), AC:L (Attack Complexity: Low), Au:S (Authentication: Single), C:C (Confidentiality: Complete), I:C (Integrity: Complete), A:C (Availability: Complete)