CVE-2022-24678 - Exploiting Disk Resource Exhaustion in Trend Micro Security Agents

Remote attackers are constantly finding innovative ways to disrupt cybersecurity defenses — and CVE-2022-24678 is a clear example of that. This critical vulnerability, affecting multiple Trend Micro products, can cause your server to stop functioning just by filling up its hard drive. In this article, we’ll break down what CVE-2022-24678 is, how attackers exploit it, and provide a demonstration to help you understand the practical risk.

What is CVE-2022-24678?

CVE-2022-24678 is a denial-of-service (DoS) vulnerability in certain Trend Micro endpoint security products, including:

Trend Micro Worry-Free Business Security Services

The problem:  
These agents use a specific folder for their temporary logs, but the agent does not adequately restrict or clean up log file creation by external processes. An attacker who can access or interact with the agent's logging mechanism can repeatedly generate logs until the disk is full. This halts your security software, other services, and may crash your system outright.

Who’s At Risk?

If you run any of these Trend Micro agent products on Windows endpoints or servers, especially if attackers can interact with agents via the local network or dropped files, you are vulnerable.

How the Exploit Works

The Trend Micro security agent logs security-related actions and events into a temporary folder, usually located at a directory such as:

C:\Program Files\Trend Micro\Apex One\Temp\

Under certain conditions, the agent fails to regulate the size or count of log files in this location. If a malicious user (with low privileges or as a guest user) can cause repeated events that generate log output, the agent will dutifully log them — without upper limit.

Proof-of-Concept: Resource Exhaustion

Suppose an attacker knows the agent logs every time a network share is incorrectly accessed, or a rare event happens (maybe a scan job fails). They can run a script to trigger this action thousands of times per minute, producing logs that multiply until the hard drive is overflowing.

Here’s a simple PowerShell script to simulate flooding a directory with log files (for local testing ONLY):

# WARNING: Do not run in production. Demonstration only!
$targetPath = "C:\Program Files\Trend Micro\Apex One\Temp\"
for ($i=; $i -lt 100000; $i++) {
  $filename = $targetPath + "attack_log_" + $i.ToString() + ".txt"
  "Malicious log entry $i" | Out-File -Encoding ASCII -FilePath $filename
  if ($i % 100 -eq ) {
    Write-Host "$i files created..."
  }
}

In the real exploit:
The attacker would use agent-internal or network methods to trigger actual logging, not just create files directly. The point: the agent never deletes or rotates old logs, so this fills up disk fast.

Exploit Impact

- Availability loss: Security services and potentially the entire endpoint/server may be disrupted until the disk is cleaned up.
- Easy to automate: Minimal software skills needed, can be done without code execution privileges (in some configurations).
- No code execution required: “Just” log flooding; doesn’t require running malware or privilege escalation.

Trend Micro has acknowledged the vulnerability and released patches for all affected products

- Trend Micro Apex One critical patches
- Worry-Free Business Security updates

If you use these products:  
Patch immediately. If you can’t, limit access to agent interaction and monitor temporary directory sizes closely.

Protecting Your Environment

1. Update your agents.  
The best defense is to run the latest, patched version.

2. Monitor log directory growth.  
Regularly check log/temp folders for sudden growth.

3. Restrict agent access.  
Limit who can interact with Trend Micro agents on the network.

4. Disk quotas.  
Consider implementing disk quotas for sensitive folders.

References and Further Reading

- Trend Micro Official Advisory for CVE-2022-24678
- NIST National Vulnerability Database Entry for CVE-2022-24678
- Security Advisory from Trend Micro

Conclusion

CVE-2022-24678 is a stark warning: something as simple as unregulated log files can crash your security infrastructure. Stay ahead of attackers by patching your systems, keeping an eye on resource usage, and never underestimating the power of “ordinary” bugs.

Stay safe!

*(All information in this article is for educational purposes only. Do not attempt unauthorized testing on systems you do not own or have explicit permission to test.)*

Timeline

Published on: 02/24/2022 03:15:00 UTC
Last modified on: 03/03/2022 03:38:00 UTC