Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own.
AnalysisAI
Trend Micro Security 17.8 for consumer platforms contains a local privilege escalation vulnerability via improper symlink handling (CWE-64: Improper Link Resolution Before File Access) that allows a local attacker with limited privileges to delete or modify critical Trend Micro system files without user interaction. The vulnerability affects Trend Micro Security 17.8 specifically and carries a CVSS 3.1 score of 7.8 (High) with local attack vector; KEV status, EPSS score, and active exploitation data are not provided in available sources, limiting real-world risk quantification.
Technical ContextAI
This vulnerability exploits improper symlink (symbolic link) resolution in the Trend Micro Security application's file handling routines. CWE-64 (Improper Link Resolution Before File Access / 'Link Following') occurs when an application fails to validate or safely handle symbolic links, allowing an attacker to redirect file operations to unintended locations. In this case, a local attacker with PR:L (low privileges, typically a standard user account) can create malicious symbolic links that the Trend Micro Security process—running with elevated privileges—will follow without validation. When the privileged process attempts to access or delete files it intends to manage, it inadvertently operates on attacker-controlled targets instead. This affects Trend Micro Security consumer product line, version 17.8, which typically runs with system-level or administrative privileges for antivirus and security operations. The AC:L (Low Attack Complexity) and UI:N (No User Interaction) factors indicate the exploit requires no special conditions or social engineering.
RemediationAI
- IMMEDIATE: Update Trend Micro Security to the latest available version (post-17.8 patch release expected from Trend Micro; typically 17.9 or later hotfix). 2. VENDOR ADVISORY: Consult Trend Micro's official security advisory for CVE-2025-52521 at https://www.trendmicro.com/en_us/about/security.html (check support portal for specific patch details). 3. TEMPORARY MITIGATIONS (pending patch): Restrict local user account privileges where feasible; disable Trend Micro file integrity monitoring or automatic file deletion features if available in settings; monitor file system for suspicious symlink creation in Trend Micro working directories (e.g., C:\ProgramData\Trend Micro\). 4. POST-PATCH: Verify successful installation and confirm Trend Micro Security reports version post-17.8; perform a full system scan to ensure no files were tampered with during the vulnerability window.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-64 – Windows Shortcut Following (.LNK)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-21040