CVE-2025-49385 is a local privilege escalation vulnerability affecting Trend Micro Internet Security (Consumer) version 17.8. The vulnerability stems from improper handling of Windows shortcut (LNK) files, classified under CWE-64 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Specifically, the security product follows symbolic links or shortcuts in a manner that allows a local attacker with limited privileges to manipulate the software’s file operations. This flaw can be exploited by an attacker to cause the deletion of privileged Trend Micro files, including potentially critical components of the security software itself. Because the deletion affects files owned by the security product, this can lead to a complete compromise of the product’s integrity and availability, effectively disabling protection mechanisms and potentially opening the system to further attacks. The vulnerability requires local access with low privileges (PR:L) but does not require user interaction (UI:N). The attack complexity is low (AC:L), meaning exploitation is straightforward once local access is obtained. The CVSS v3.1 base score is 7.8, reflecting high severity due to the combined impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability is specific to version 17.8 of the consumer edition of Trend Micro Internet Security, a widely used antivirus and endpoint protection product for Windows platforms. The root cause is the software’s unsafe handling of Windows shortcuts, which can be leveraged to trick the product into deleting its own privileged files, thereby escalating privileges from a low-privileged user to effectively administrative control over the security software’s operations.

For European organizations, this vulnerability poses a significant risk especially for consumer endpoints and potentially small business environments relying on Trend Micro Internet Security 17.8. The ability for a local attacker to escalate privileges and disable or degrade endpoint protection can lead to broader compromise of systems, data breaches, and persistence of malware. In environments where endpoint security is a critical layer of defense, such as financial institutions, healthcare providers, and critical infrastructure operators, exploitation could facilitate lateral movement and data exfiltration. The impact on confidentiality is high as attackers could disable security controls to access sensitive data. Integrity is compromised because the security product’s files can be deleted or altered, and availability is affected due to potential denial of security services. Although the attack requires local access, this could be achieved through social engineering, physical access, or exploiting other vulnerabilities to gain initial foothold. The lack of user interaction requirement increases the risk in automated or unattended systems. Given the widespread use of Trend Micro products in Europe, especially in consumer and SMB markets, the vulnerability could be leveraged in targeted attacks or by malware aiming to disable endpoint defenses.

1. Immediate mitigation should focus on restricting local user permissions to prevent untrusted users from accessing or manipulating Trend Micro installation directories and files. 2. Employ application whitelisting and file integrity monitoring to detect unauthorized changes or deletions of security product files. 3. Use endpoint detection and response (EDR) solutions to monitor for suspicious local activities indicative of privilege escalation attempts. 4. Until an official patch is released, consider temporarily disabling or limiting the use of the affected Trend Micro version on critical systems, or deploying alternative endpoint protection solutions. 5. Educate users on the risks of local privilege escalation and enforce strict physical and logical access controls to reduce the chance of local attacker presence. 6. Monitor vendor communications closely for patches or updates and plan rapid deployment once available. 7. Conduct internal audits to identify systems running the vulnerable version and prioritize remediation. 8. Implement network segmentation to limit the impact of compromised endpoints. These steps go beyond generic advice by focusing on controlling local access, monitoring integrity of security software files, and preparing for rapid patch deployment.