CVE-2020-25775

Vulnerability

The vulnerability resides in the Secure Erase feature of Trend Micro Security 2020 (v16) consumer products, including Premium Security, Maximum Security, Internet Security, and Antivirus+. It is a race condition caused by improper validation of a user-supplied link before file operations. Affected versions are Trend Micro Security 2020 (v16) and below. [1][2]

Exploitation

An attacker must first obtain the ability to execute low-privileged code on the target system. The exploit involves manipulating the Secure Erase feature's race window to delete arbitrary files. The specific flaw is the lack of proper validation of a user-supplied link, which the attacker can control. [1]

Impact

Successful exploitation allows an attacker to delete arbitrary files in the context of the SYSTEM account. This results in a high impact on integrity (file deletion) but no confidentiality impact. The CVSSv3 score is 5.3 (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H). [1][2]

Mitigation

Trend Micro addressed this vulnerability via a patch delivered through the product's automatic ActiveUpdate feature for all versions at or above Trend Micro Security 2020 (v16). Customers who are up-to-date with v16 already have the fix. Users on version 2019 (v15) or below should upgrade to v16 or v17. No active exploitation has been reported. [2]