CVE Vulnerabilities

CVE-2025-48443

Windows Shortcut Following (.LNK)

Published: Jun 17, 2025 | Modified: Aug 27, 2025
CVSS 3.x
6.6
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Local Privilege Escalation Vulnerability that could allow a local attacker to leverage this vulnerability to delete files in the context of an administrator when the administrator installs Trend Micro Password Manager.

Weakness

The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Affected Software

Name Vendor Start Version End Version
Password_manager Trendmicro * 5.8.0.1330 (excluding)

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References