CVE-2020-27695

Vulnerability

CVE-2020-27695 exists in the installer package of Trend Micro Security 2020 (Consumer) versions v16.x for Windows English editions (Premium Security, Maximum Security, Internet Security, Antivirus+). The installer loads a DLL from a local directory without proper validation, allowing an attacker with low-privileged access to the system to place a crafted DLL that the installer will load during the product installation process [1].

Exploitation

An attacker must have local access to the target machine, able to write files to a specific directory where the Trend Micro installer searches for a DLL (likely the current working directory or a system-accessible path). No authentication beyond standard user-level access is required. The attacker places a malicious DLL in that location before or during the installation of Trend Micro Security 2020. When the installer (running with elevated privileges) executes, it loads the attacker-controlled DLL instead of the legitimate one, executing arbitrary code in the context of the installer [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with SYSTEM privileges, resulting in full compromise of the affected Windows system. The attacker gains local privilege escalation from a low-integrity user account to the highest administrative level, enabling them to install programs, create/modify accounts, and access or alter any data on the system [1].

Mitigation

Trend Micro has addressed this vulnerability in the updated installer included in Trend Micro Security 2021 version 17.x. All customers using Affected Versions should download and upgrade to the latest version (17.x) from the official Trend Micro website. No workaround is documented for the vulnerable v16 builds; the only complete mitigation is to upgrade to the patched version [1]. The CVE is not known to be listed in the KEV catalog.