Trend Micro has disclosed details of eight CVEs in its Mobile Security for Enterprise 9.8 product suite, three of which are rated critical severity.
Some of the bugs were discovered through the Zero Day Initiative (ZDI), while others were reported to Trend Micro by Poh Jia Hao of STAR Labs and Tenable Security.
ZDI advisories identify CVE-2023-32523 and CVE-2023-32524, both authentication bypass bugs, as critical vulnerabilities.
They are both exploitable by remote attackers.
According to the ZDI, the bug “exists within the WFUser class defined within the web/widget path”, and is an improper implementation of authentication.
Also rated critical is CVE-2023-32521, which Trend Micro describes only as an unauthenticated file deletion vulnerability.
Trend Micro also advised of two lower-rated remote authentication bypasses, CVE-2023-32523 and CVE-2023-32524, which it said could possibly be chained with other vulnerabilities.