A SQL injection vulnerability has been reported in Trend Micro Control Manager. The vulnerability is due to lack of validation on two parameters in the AdHocQuery_Processor.aspx script. A remote, authenticated attacker could exploit this vulnerability by sending a malicious HTTP request to the target system. Successful exploitation could lead to arbitrary code execution in the security context of the user.