A high-severity vulnerability has been identified in Trend Micro security products, specifically affecting Cleaner One Pro. This flaw allows a local user with low privileges to escalate their permissions, which could lead to the deletion of critical security files, effectively disabling the product and leaving the system exposed to further attacks. Organizations are urged to apply the vendor-provided patch immediately to mitigate this risk.

The vulnerability is a local privilege escalation within the Trend Micro Cleaner One Pro component. The cleaning function of the software does not properly validate file paths before deletion. An attacker with local, low-privilege access to a system can exploit this by creating a symbolic link from a location the cleaner tool targets (e.g., a temporary cache directory) to a critical, high-privilege Trend Micro system file. When the cleaner utility is run by a privileged user or the system, it will follow this symbolic link and delete the protected file, leading to a denial-of-service condition for the security product.

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation would directly impact the integrity and availability of the Trend Micro security solution on an affected endpoint. By disabling the security software, an attacker can bypass endpoint protection, antivirus scanning, and other security controls, rendering the system vulnerable to subsequent attacks such as malware deployment, data exfiltration, or ransomware. This creates a significant risk of a minor security incident escalating into a major breach, potentially leading to data loss, operational downtime, and reputational damage.

Immediate Action:

• Patch Immediately: Deploy the patched version of the affected Trend Micro software provided by the vendor across all vulnerable endpoints without delay.
• Review Permissions: Conduct a review of user permissions and access controls on endpoints. Ensure that non-administrative users have the minimum necessary privileges to perform their roles, reducing the attack surface for local exploits.

Proactive Monitoring:

• Monitor system logs for unexpected termination or failures of Trend Micro services and processes.
• Implement File Integrity Monitoring (FIM) on Trend Micro's installation directories to generate alerts on any unauthorized file modifications or deletions.
• Scrutinize endpoint detection and response (EDR) logs for suspicious process chains involving the Cleaner One Pro executable or unusual file deletion activity originating from low-privilege user accounts.

Compensating Controls:

• If patching is not immediately feasible, consider restricting the execution of the Cleaner One Pro tool using application control solutions like AppLocker or other software restriction policies.
• Enforce the principle of least privilege rigorously to limit the ability of local users to write to locations that could be leveraged in this type of attack.
• Increase monitoring on systems that cannot be patched to detect any signs of compromise quickly.

Public Exploit Available: false

Given the high severity score and the potential for complete security product bypass, immediate remediation is strongly recommended. Although this CVE is not currently on the CISA KEV list, its nature as a local privilege escalation makes it a valuable tool for any attacker who has gained initial access. Organizations must prioritize patching all systems running the affected Trend Micro software. The focus should be on applying the vendor patch first and then implementing compensating controls and enhanced monitoring on any systems where patching is delayed.