CVE-2021-44023

Vulnerability

This link following denial-of-service (DoS) vulnerability exists in the PC Health Checkup component of Trend Micro Security (Consumer) 2021 family of products — specifically in versions 2021 (v17) and below, including Premium Security, Maximum Security, Internet Security, and Antivirus+ Security on Microsoft Windows. The flaw resides within the Platinum Host Service, where insufficient validation of symbolic links allows an attacker to redirect file operations to arbitrary locations on the system [1][2].

Exploitation

An attacker must first obtain the ability to execute low-privileged code on the target system. By creating a symbolic link and then triggering the PC Health Checkup feature, the attacker can abuse the service to overwrite a file at a path controlled by the symlink. The attack requires local access and low privileges but no user interaction beyond the initial code execution [1].

Impact

Successful exploitation allows the attacker to overwrite arbitrary files on the system, leading to a denial-of-service condition. The CVSS score is 6.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), reflecting high availability impact with no confidentiality exposure but some integrity loss [1]. Trend Micro has received no reports of active exploitation [2].

Mitigation

Trend Micro has released version 2022 (v17.7) for all affected products to resolve this vulnerability. Users should update to this version or later via the product’s automatic update mechanism or by downloading from the official site [2]. No workaround is available for unpatched installations.