CVE-2022-30700 - How Misassigned Permissions in Trend Micro Apex One Can Let Local Attackers Load Malicious DLLs

In May 2022, Trend Micro disclosed CVE-2022-30700 — a vulnerability arising from incorrect permission assignments in Apex One and Apex One as a Service. This bug allows local attackers to load a DLL with higher-than-expected privileges, potentially leading to privilege escalation on targeted systems.

If you’re running Trend Micro Apex One, understanding CVE-2022-30700 is crucial. In this article, we’ll walk through how this vulnerability happens, demo a simple proof-of-concept, and talk about real-world risks and what to do next.

What’s the Problem?

At its core, this vulnerability comes down to Windows permissions gone wrong. A folder or executable is given weak permissions, meaning a local user (non-admin) can drop their own DLL payload somewhere it shouldn’t be — and get it loaded by a privileged process.

In security circles, this is known as a "DLL planting" or "DLL hijacking" attack. If one of the Apex One services or executables loads DLLs from a non-system directory, and that directory is writable by a normal user, you’re in trouble.

Trend Micro summary:  
> "An incorrect permission assignment vulnerability in Trend Micro Apex One and Apex One as a Service could allow a local attacker to load a DLL with escalated privileges."

How It Works (Step by Step)

To exploit CVE-2022-30700, an attacker must already have the ability to run code as a standard Windows user. This is often possible if the attacker has initial access via phishing, malware, or a compromised user account.

Here’s the basic attack path

1. Locate a vulnerable directory: The attacker finds a folder or executable related to Apex One with weak folder or file permissions (for example, C:\Program Files\Trend Micro\Apex One\).
2. Craft a malicious DLL: The attacker creates a DLL that will be executed when loaded by a higher-privileged process.

Plant the DLL: The malicious DLL is copied into the vulnerable folder.

4. Wait for the DLL to be loaded: When the privileged process runs, it loads libraries from that folder and unknowingly executes the attacker’s code, giving them SYSTEM or administrator privileges.

Proof-of-Concept: DLL Hijacking

Below is a simple C-based DLL payload for demonstration purposes. When loaded, it will pop up a message box (but real attackers would run more harmful code):

// Save as malicious.c, compile to malicious.dll
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved) 
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
        MessageBox(NULL, "Privilege Escalation Achieved!", "CVE-2022-30700", MB_OK);
    }
    return TRUE;
}

You’d build the DLL like this using Visual Studio or mingw-w64 GCC

gcc -shared -o malicious.dll malicious.c -luser32

Note: In a real attack, the DLL would deliver a new shell, add user accounts, or otherwise abuse its SYSTEM-level access.

Finding Vulnerable Folder Permissions

Attackers or penetration testers could use built-in Windows tools to find Apex One directories that are writable:

# Look for folders in Program Files that non-admins can write to
icacls "C:\Program Files\Trend Micro\Apex One" | findstr "(F)"

You’re looking for entries where non-admin groups (like Users) have F (Full access) or M (Modify) permissions.

Exploitation Scenario

Suppose C:\Program Files\Trend Micro\Apex One\xyz.dll is loaded by a privileged Apex One service and the directory is writable:

Apex One service runs as SYSTEM and loads the attacker's xyz.dll.

3. Payload executes: New cmd shell with SYSTEM privileges, new admin user added, or something worse.

Real-World Risks

- Requires local low-privileged access. Not a remote code execution, but easy payload delivery if the attacker can already run code as a standard user.

References and Further Reading

- Trend Micro Advisory for CVE-2022-30700
- NVD CVE Detail
- DLL Hijacking Writeups:

* Understand DLL search order and security

- Mitre Att&ck: Hijack Execution Flow: DLL Search Order Hijacking

How to Protect Yourself

Patch: The main fix is to update Apex One to the latest version. Trend Micro released patches shortly after disclosure.

Check Folder Permissions:  
Audit all Apex One installed directories. Only Administrators and SYSTEM should have write permissions.

# Check permissions
icacls "C:\Program Files\Trend Micro\Apex One"

User Permissions: Limit local user access to only what’s needed.

Local Admin Rights: Don’t use local admin accounts unless absolutely necessary.

Conclusion

CVE-2022-30700 is a classic example of how a small mistake in folder or file permissions can lead to full system compromise. Even if an attacker must first gain a foothold as a low-privileged user, escalating to SYSTEM via DLL hijacking is a dangerous step—one that can make removing malware and tracking lateral movement much harder.

If you use Trend Micro Apex One or Apex One as a Service, patch now.  
Audit your installations for improper permissions. Share this post with your security team and stay ahead of attackers exploiting simple bugs for big wins.

Stay safe!

*This deep dive is exclusive and was crafted for clear, simple understanding. If you found it useful, share it with your team and help strengthen your organization’s defenses.*

Timeline

Published on: 05/27/2022 00:15:00 UTC
Last modified on: 06/08/2022 16:21:00 UTC