CVE-2025-3771 is a high-severity vulnerability identified in Trellix System Information Reporter version 1.0.3. It is categorized under CWE-59, which pertains to improper link resolution before file access, commonly known as 'link following'. The vulnerability allows a local user with limited privileges to exploit the way the System Information Reporter handles registry backup files. Specifically, the application fails to properly validate or restrict the resolution of junction symbolic links when writing registry backup files. An attacker can create a junction symlink pointing to an arbitrary location on the filesystem. When the System Information Reporter writes its registry backup, it follows this symlink and writes the backup file to the attacker-controlled location. This can lead to unauthorized file write operations, potentially overwriting critical files or placing malicious files in sensitive locations. The CVSS 4.0 base score is 7.2, reflecting a high severity due to the combination of local attack vector, low attack complexity, partial privileges required, no user interaction, and significant impacts on confidentiality, integrity, and availability. Although exploitation requires local access and partial privileges, the vulnerability can be leveraged to escalate privileges or disrupt system operations by manipulating registry backup files. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is specific to version 1.0.3 of Trellix System Information Reporter, a tool used for system information collection and reporting, often deployed in enterprise environments for IT management and security auditing.

For European organizations, this vulnerability poses a significant risk primarily in environments where Trellix System Information Reporter is deployed, especially in enterprises relying on this tool for system inventory and registry backup processes. The ability for a local user to write files arbitrarily can lead to privilege escalation, persistence mechanisms, or sabotage of system integrity. This could result in unauthorized access to sensitive configuration data, disruption of system monitoring, or interference with incident response activities. Given the critical role of registry backups in Windows system recovery and configuration, tampering with these files could cause system instability or complicate forensic investigations. Organizations in sectors with strict regulatory requirements for data integrity and system availability, such as finance, healthcare, and critical infrastructure, may face compliance risks and operational disruptions. The local nature of the attack vector means insider threats or compromised user accounts pose the greatest risk. However, in environments with shared workstations or insufficient endpoint security, the vulnerability could be exploited to move laterally or escalate privileges.

To mitigate this vulnerability, European organizations should first verify if Trellix System Information Reporter version 1.0.3 is in use within their environment. Until an official patch is released, organizations should restrict local user permissions to prevent untrusted users from creating junction symlinks or writing to directories used by the System Information Reporter. Implement strict access controls on directories where registry backups are stored to prevent unauthorized file creation or modification. Employ endpoint detection and response (EDR) solutions to monitor for suspicious symlink creation or unusual file write activities related to the System Information Reporter. Additionally, conduct regular audits of filesystem permissions and symlink usage to detect potential exploitation attempts. Organizations should also consider isolating or limiting the use of the affected tool on high-risk systems and educate users about the risks of local privilege escalation attacks. Once available, promptly apply vendor patches or updates addressing this vulnerability. Finally, incorporate this vulnerability into incident response plans to quickly identify and remediate exploitation attempts.