CVE-2025-0664 is a vulnerability classified under CWE-94, indicating improper control of code generation, specifically a code injection flaw in the Trellix Endpoint Security (HX) Agent versions 36.30.0 and 35.31.28. The vulnerability arises when a locally authenticated user with privileged access crafts a malicious OpenSSL configuration file. Due to insufficient validation or sanitization of this configuration file, the Trellix agent may be tricked into loading an arbitrary local library specified by the attacker. This behavior can lead to the execution of arbitrary code with SYSTEM-level privileges, effectively allowing the attacker to bypass endpoint defenses and gain full control over the affected system. The attack vector requires local access with high privileges but does not require user interaction or network access, making it a local privilege escalation vulnerability. The CVSS v4.0 score of 6.7 (medium severity) reflects the complexity and impact: the vulnerability requires privileged access but can result in significant integrity and availability impact by compromising endpoint security controls. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating the need for vigilance and proactive mitigation. The vulnerability's root cause is the improper handling of OpenSSL configuration files by the Trellix agent, which is a critical component in endpoint defense, making this flaw particularly dangerous in environments relying on this product for security enforcement.

For European organizations, the impact of CVE-2025-0664 can be significant, especially for enterprises and government entities that deploy Trellix Endpoint Security (HX) Agent as part of their endpoint protection strategy. Successful exploitation allows attackers with local privileged access to disable or circumvent endpoint defenses, potentially leading to full system compromise, data theft, or lateral movement within corporate networks. This can undermine compliance with European data protection regulations such as GDPR, as compromised endpoints may lead to unauthorized data access or breaches. Critical infrastructure operators and organizations in regulated sectors (finance, healthcare, energy) are particularly at risk due to the potential for disruption or espionage. The requirement for local privileged access somewhat limits the attack surface but does not eliminate risk, as insider threats or attackers who have already gained elevated privileges through other means can leverage this vulnerability to escalate control. The absence of known exploits reduces immediate risk but also means organizations must proactively patch and monitor to prevent future exploitation.

1. Immediate mitigation should include restricting privileged local access to trusted personnel only and auditing existing privileged accounts for suspicious activity. 2. Organizations should monitor for unusual OpenSSL configuration file modifications or unexpected library loads by the Trellix agent using endpoint detection and response (EDR) tools. 3. Apply vendor patches promptly once available; in the absence of patches, consider temporarily disabling or limiting the use of affected Trellix agent versions in sensitive environments. 4. Employ application whitelisting to prevent unauthorized libraries from loading. 5. Implement strict file integrity monitoring on directories where OpenSSL configuration files and libraries reside to detect unauthorized changes. 6. Conduct regular privilege reviews and enforce least privilege principles to minimize the number of users with local administrative rights. 7. Engage in threat hunting focused on local privilege escalation attempts and anomalous process behaviors related to the Trellix agent. 8. Coordinate with Trellix support for any available workarounds or configuration changes that can mitigate the vulnerability until patches are released.