Skip to main content

Windows CVE-2025-49385

| EUVD-2025-18561 HIGH
Windows Shortcut Following (.LNK) (CWE-64)
2025-06-17 security@trendmicro.com
Windows Privilege Escalation Trend Micro Maximum Security 2022
7.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:37 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
17.8.1464
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18561
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 21:15 nvd
HIGH 7.8

DescriptionNVD

Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own.

AnalysisAI

Local privilege escalation vulnerability in Trend Micro Security 17.8 (Consumer) that exploits insecure link following to allow a low-privileged local attacker to delete privileged Trend Micro files, potentially compromising the security product's integrity. With a CVSS score of 7.8 and low attack complexity (AC:L), this vulnerability poses a significant risk to consumer systems where privilege escalation could disable or corrupt critical security components. No active exploitation (KEV status) or public POC has been reported at this time, but the low barrier to exploitation (local access with low privileges required) warrants prompt patching.

Technical ContextAI

The vulnerability is rooted in CWE-64 (Improper Control of Generation of Code), which in this context manifests as insecure link/symlink following. Trend Micro Security (CPE likely: cpe:2.3:a:trendmicro:security:17.8:*:*:*:consumer:*:*:*) fails to properly validate symbolic links or shortcut targets before performing file operations with elevated privileges. When a low-privileged user (PR:L) triggers file deletion or maintenance operations, the product follows attacker-controlled links to delete arbitrary privileged files owned by or trusted by Trend Micro processes running at system/administrator level. This is a classic privilege escalation via link-following, where the trust boundary between user-writable directories and privileged operations is not properly maintained.

RemediationAI

Immediate: (1) Update Trend Micro Security to version 18.0 or later (patch version not specified in provided data; consult Trend Micro support portal). (2) Verify the installed version via Control Panel > Programs and Features or Trend Micro's agent console. Interim mitigations (pending patch deployment): (3) Restrict local system access to trusted users only; disable guest accounts and limit service account privileges. (4) Audit file permissions on Trend Micro installation directories (typically C:\Program Files\Trend Micro or equivalent) to ensure they are not writable by unprivileged users. (5) Monitor for symbolic links or shortcuts in user-writable directories (%TEMP%, %APPDATA%) that target Trend Micro files. (6) Run Trend Micro services with minimal required privileges (already standard but verify). Refer to Trend Micro's official security advisory for patch download links and detailed remediation steps; this information was not included in the provided source data.

Share

CVE-2025-49385 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy