CVE-2025-48443
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-08-27
Assigner: Trend Micro, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trendmicro | password_manager | to 5.8.0.1330 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-64 | The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48443 is a local privilege escalation vulnerability in Trend Micro Password Manager (version 5.0.0.1266 and below) that occurs during the installation process. A local attacker with low privileges can exploit the link-following behavior of the installer by creating a filesystem junction (link) to trick the installer into deleting arbitrary files with administrator-level privileges. This requires local access, user interaction, and has high attack complexity. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to delete files with administrator privileges during the installation of Trend Micro Password Manager, potentially leading to privilege escalation and arbitrary code execution with SYSTEM-level permissions. This impacts the confidentiality, integrity, and availability of the system, posing a medium severity risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local privilege escalation issue that requires local access and user interaction during the installation of Trend Micro Password Manager version 5.0.0.1266 and below. Detection involves verifying the installed version of Trend Micro Password Manager to see if it is vulnerable. Since the exploit involves creating junction points (filesystem links) to manipulate the installer, monitoring for suspicious junction creation or unexpected file deletions during installation could help detect exploitation attempts. Specific commands to check the installed version on Windows include: 'wmic product where "name like "%Trend Micro Password Manager%"" get name, version' or checking the version via the application's About section. To detect suspicious junctions, commands like 'dir /AL /S' in the installation directories could be used. However, no explicit detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Trend Micro Password Manager to version 5.8.0.1330 or later, as this version includes a hotfix that addresses the issue. The update is distributed through the product's automatic update mechanism, so ensuring the system is connected to the Internet and allowing the update to install is recommended. For fresh installations, use the latest version. Additionally, restrict local user permissions to prevent low-privileged users from executing code or creating junctions during installation. If further assistance is needed, contact Trend Micro Technical Support. [1, 2]