EUVD-2025-21040
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own.
Analysis
Trend Micro Security 17.8 for consumer platforms contains a local privilege escalation vulnerability via improper symlink handling (CWE-64: Improper Link Resolution Before File Access) that allows a local attacker with limited privileges to delete or modify critical Trend Micro system files without user interaction. The vulnerability affects Trend Micro Security 17.8 specifically and carries a CVSS 3.1 score of 7.8 (High) with local attack vector; KEV status, EPSS score, and active exploitation data are not provided in available sources, limiting real-world risk quantification.
Technical Context
This vulnerability exploits improper symlink (symbolic link) resolution in the Trend Micro Security application's file handling routines. CWE-64 (Improper Link Resolution Before File Access / 'Link Following') occurs when an application fails to validate or safely handle symbolic links, allowing an attacker to redirect file operations to unintended locations. In this case, a local attacker with PR:L (low privileges, typically a standard user account) can create malicious symbolic links that the Trend Micro Security process—running with elevated privileges—will follow without validation. When the privileged process attempts to access or delete files it intends to manage, it inadvertently operates on attacker-controlled targets instead. This affects Trend Micro Security consumer product line, version 17.8, which typically runs with system-level or administrative privileges for antivirus and security operations. The AC:L (Low Attack Complexity) and UI:N (No User Interaction) factors indicate the exploit requires no special conditions or social engineering.
Affected Products
Trend Micro Security 17.8 (Consumer) - all supported variants on Windows, macOS, and potentially Linux platforms. CPE representation would be: cpe:2.3:a:trendmicro:security:17.8:*:*:*:consumer:*:*:*. Specific CVE-2025-52521 targets this exact version; earlier and later versions require confirmation from Trend Micro security advisories. No alternative product lines (Maximum Security, Internet Security) are explicitly named, suggesting this is isolated to the base 'Security' consumer offering.
Remediation
1. IMMEDIATE: Update Trend Micro Security to the latest available version (post-17.8 patch release expected from Trend Micro; typically 17.9 or later hotfix). 2. VENDOR ADVISORY: Consult Trend Micro's official security advisory for CVE-2025-52521 at https://www.trendmicro.com/en_us/about/security.html (check support portal for specific patch details). 3. TEMPORARY MITIGATIONS (pending patch): Restrict local user account privileges where feasible; disable Trend Micro file integrity monitoring or automatic file deletion features if available in settings; monitor file system for suspicious symlink creation in Trend Micro working directories (e.g., C:\ProgramData\Trend Micro\). 4. POST-PATCH: Verify successful installation and confirm Trend Micro Security reports version post-17.8; perform a full system scan to ensure no files were tampered with during the vulnerability window.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today