CVE-2021-25251

Vulnerability

A code injection vulnerability exists in the Trend Micro Security 2020 (v16) and 2021 (v17) families of consumer products, including Premium Security, Maximum Security, Internet Security, and Antivirus+ on Windows. The flaw allows an attacker to inject code into a privileged process. The vulnerability is present in the versions listed in [1].

Exploitation

To exploit this vulnerability, an attacker must already have administrator privileges on the affected machine. With administrative access, the attacker can perform code injection to disable the product's password protection and disable its protection features. No user interaction beyond initial compromise is required, and the attack is performed locally with high privileges [1].

Impact

A successful exploitation allows the attacker to disable Trend Micro Security password protection and disable protection features entirely. Given the CVSS score of 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), the impact on confidentiality, integrity, and availability is high. The attack scope is changed, meaning the vulnerable component impacts resources beyond its security scope. An attacker can effectively neutralize the antivirus software on the system [1].

Mitigation

Trend Micro has released an update via the product's ActiveUpdate automatic update mechanism. Affected versions (2020 v16 and 2021 v17) will receive the fix automatically if connected to the internet. The latest builds are available for direct download from Trend Micro. No workarounds are necessary as the update resolves the vulnerability. There is no evidence of active exploitation [1].