CVE-2025-49384 is a local privilege escalation vulnerability identified in Trend Micro Internet Security (Consumer) version 17.8. The vulnerability is categorized under CWE-64, which relates to improper handling of Windows shortcut (LNK) files. Specifically, the flaw allows a local attacker to exploit the way the security software follows Windows shortcut links, potentially causing the deletion of privileged Trend Micro files, including the software's own critical components. This deletion can lead to a complete compromise of the security product's integrity and availability, effectively disabling its protective functions. The vulnerability requires local access with limited privileges (PR:L) but does not require user interaction (UI:N), making it easier for an attacker who has already gained some foothold on the system to escalate privileges. The CVSS v3.1 base score is 7.8 (high severity), reflecting high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The attack vector is local (AV:L), and the attack complexity is low (AC:L), indicating that exploitation does not require specialized conditions. No known exploits are reported in the wild as of the publication date (June 17, 2025), and no patches have been linked yet. The vulnerability stems from the security software's improper validation or sanitization of Windows shortcut targets, allowing an attacker to manipulate file paths to delete privileged files. This can lead to a denial of service of the security product and potentially open the system to further compromise due to the absence of active protection.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Trend Micro Internet Security (Consumer) version 17.8 for endpoint protection. Successful exploitation can result in the disabling of critical security defenses, exposing systems to malware, ransomware, and other advanced threats. The local privilege escalation aspect means that attackers who have already compromised a low-privilege user account can leverage this flaw to gain higher privileges, facilitating lateral movement and deeper infiltration within corporate networks. This is particularly concerning for small and medium enterprises (SMEs) and home office environments where consumer-grade security products are prevalent. The deletion of security files can also lead to compliance issues under European data protection regulations (e.g., GDPR) if it results in data breaches. Additionally, the unavailability of the security product can increase the risk of persistent threats and data exfiltration. Given the lack of patches at the time of disclosure, organizations may face a window of exposure, increasing the urgency for mitigation.

1. Immediate mitigation should include restricting local user permissions to minimize the number of users with access to systems running the vulnerable Trend Micro version. 2. Employ application whitelisting and endpoint detection and response (EDR) solutions that can monitor and block suspicious file deletion activities, especially those targeting security software files. 3. Implement strict file system permissions on Trend Micro installation directories to prevent unauthorized modifications or deletions by non-privileged users. 4. Use Group Policy Objects (GPO) in Windows environments to enforce these permissions and restrict the execution of untrusted shortcuts or scripts. 5. Monitor system logs and security event logs for unusual activities related to file deletions or privilege escalations. 6. Until an official patch is released, consider deploying alternative or additional endpoint protection solutions that do not exhibit this vulnerability. 7. Educate users about the risks of executing unknown shortcuts and ensure that endpoint devices are not left accessible to untrusted users. 8. Regularly back up critical security configurations and files to enable rapid restoration if deletion occurs. 9. Coordinate with Trend Micro support for early access to patches or workarounds and subscribe to their security advisories for updates.