Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own.
AnalysisAI
Local privilege escalation vulnerability in Trend Micro Security 17.8 (Consumer) that exploits insecure link following to allow a low-privileged local attacker to delete privileged Trend Micro files, potentially compromising the security product's integrity. With a CVSS score of 7.8 and low attack complexity (AC:L), this vulnerability poses a significant risk to consumer systems where privilege escalation could disable or corrupt critical security components. No active exploitation (KEV status) or public POC has been reported at this time, but the low barrier to exploitation (local access with low privileges required) warrants prompt patching.
Technical ContextAI
The vulnerability is rooted in CWE-64 (Improper Control of Generation of Code), which in this context manifests as insecure link/symlink following. Trend Micro Security (CPE likely: cpe:2.3:a:trendmicro:security:17.8:*:*:*:consumer:*:*:*) fails to properly validate symbolic links or shortcut targets before performing file operations with elevated privileges. When a low-privileged user (PR:L) triggers file deletion or maintenance operations, the product follows attacker-controlled links to delete arbitrary privileged files owned by or trusted by Trend Micro processes running at system/administrator level. This is a classic privilege escalation via link-following, where the trust boundary between user-writable directories and privileged operations is not properly maintained.
RemediationAI
Immediate: (1) Update Trend Micro Security to version 18.0 or later (patch version not specified in provided data; consult Trend Micro support portal). (2) Verify the installed version via Control Panel > Programs and Features or Trend Micro's agent console. Interim mitigations (pending patch deployment): (3) Restrict local system access to trusted users only; disable guest accounts and limit service account privileges. (4) Audit file permissions on Trend Micro installation directories (typically C:\Program Files\Trend Micro or equivalent) to ensure they are not writable by unprivileged users. (5) Monitor for symbolic links or shortcuts in user-writable directories (%TEMP%, %APPDATA%) that target Trend Micro files. (6) Run Trend Micro services with minimal required privileges (already standard but verify). Refer to Trend Micro's official security advisory for patch download links and detailed remediation steps; this information was not included in the provided source data.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-64 – Windows Shortcut Following (.LNK)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18561