Skip to main content

Trend Micro CVE-2025-52521

| EUVDEUVD-2025-21040 HIGH
Windows Shortcut Following (.LNK) (CWE-64)
2025-07-10 security@trendmicro.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:28 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
17.8.1476
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21040
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 19:15 nvd
HIGH 7.8

DescriptionCVE.org

Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own.

AnalysisAI

Trend Micro Security 17.8 for consumer platforms contains a local privilege escalation vulnerability via improper symlink handling (CWE-64: Improper Link Resolution Before File Access) that allows a local attacker with limited privileges to delete or modify critical Trend Micro system files without user interaction. The vulnerability affects Trend Micro Security 17.8 specifically and carries a CVSS 3.1 score of 7.8 (High) with local attack vector; KEV status, EPSS score, and active exploitation data are not provided in available sources, limiting real-world risk quantification.

Technical ContextAI

This vulnerability exploits improper symlink (symbolic link) resolution in the Trend Micro Security application's file handling routines. CWE-64 (Improper Link Resolution Before File Access / 'Link Following') occurs when an application fails to validate or safely handle symbolic links, allowing an attacker to redirect file operations to unintended locations. In this case, a local attacker with PR:L (low privileges, typically a standard user account) can create malicious symbolic links that the Trend Micro Security process—running with elevated privileges—will follow without validation. When the privileged process attempts to access or delete files it intends to manage, it inadvertently operates on attacker-controlled targets instead. This affects Trend Micro Security consumer product line, version 17.8, which typically runs with system-level or administrative privileges for antivirus and security operations. The AC:L (Low Attack Complexity) and UI:N (No User Interaction) factors indicate the exploit requires no special conditions or social engineering.

RemediationAI

  1. IMMEDIATE: Update Trend Micro Security to the latest available version (post-17.8 patch release expected from Trend Micro; typically 17.9 or later hotfix). 2. VENDOR ADVISORY: Consult Trend Micro's official security advisory for CVE-2025-52521 at https://www.trendmicro.com/en_us/about/security.html (check support portal for specific patch details). 3. TEMPORARY MITIGATIONS (pending patch): Restrict local user account privileges where feasible; disable Trend Micro file integrity monitoring or automatic file deletion features if available in settings; monitor file system for suspicious symlink creation in Trend Micro working directories (e.g., C:\ProgramData\Trend Micro\). 4. POST-PATCH: Verify successful installation and confirm Trend Micro Security reports version post-17.8; perform a full system scan to ensure no files were tampered with during the vulnerability window.
CVE-2016-7552 CRITICAL POC
9.8 Apr 12

On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows

CVE-2016-7547 CRITICAL POC
9.8 Apr 12

A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in

CVE-2017-11394 CRITICAL POC
9.8 Aug 03

Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr

CVE-2017-11391 HIGH POC
8.8 Aug 03

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att

CVE-2017-11392 HIGH POC
8.8 Aug 03

Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att

CVE-2016-6267 HIGH POC
8.8 Jan 30

SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330

CVE-2017-6398 HIGH POC
8.8 Mar 14

An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C

CVE-2017-7896 MEDIUM POC
6.1 Apr 18

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV

CVE-2017-14078 CRITICAL
9.8 Sep 22

SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac

CVE-2016-3987 CRITICAL POC
9.8 Apr 12

The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para

CVE-2017-14089 CRITICAL POC
9.8 Oct 06

An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u

CVE-2020-8606 CRITICAL POC
9.8 May 27

A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent

Share

CVE-2025-52521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy