Login Sign Up

CVE-2022-26337

7.8 HIGH

📋 TL;DR

This vulnerability in Trend Micro Password Manager installer allows attackers to place malicious DLL files in specific directories, which the installer then loads with elevated privileges. This enables local privilege escalation from a lower-privileged account to SYSTEM/administrator level. Only users with Trend Micro Password Manager (Consumer) version 5.0.0.1262 or below are affected.

💻 Affected Systems

Products:
  • Trend Micro Password Manager (Consumer)
Versions: 5.0.0.1262 and below
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the installer component; requires attacker to have ability to place files in specific directories accessible to the installer.

📦 What is this software?

Password Manager by Trendmicro

View all CVEs affecting Password Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges on the compromised machine, enabling complete control, data theft, persistence mechanisms, and lateral movement capabilities.

🟠

Likely Case

Local attacker with limited privileges escalates to administrator/SYSTEM level to install malware, steal credentials, or bypass security controls.

🟢

If Mitigated

Attack fails due to proper file permissions, user account restrictions, or security software blocking DLL sideloading attempts.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial access to the system; not directly exploitable over the internet.
🏢 Internal Only: HIGH - Once an attacker gains initial access (via phishing, malware, etc.), they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local access and ability to write files to specific directories; DLL hijacking/sideloading techniques are well-documented and relatively simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.0.1263 and above

Vendor Advisory: https://helpcenter.trendmicro.com/en-us/article/tmka-10954

Restart Required: No

Instructions:

1. Open Trend Micro Password Manager. 2. Check for updates in settings. 3. Install available updates. 4. Verify version is 5.0.0.1263 or higher.

🔧 Temporary Workarounds

Restrict DLL loading permissions

windows

Set strict file permissions on installer directories to prevent unauthorized DLL placement

icacls "C:\Program Files\Trend Micro\Password Manager" /deny Everyone:(OI)(CI)(WD,AD)

Disable unnecessary services

windows

Disable Trend Micro Password Manager services if not actively used

sc config "TMPMService" start= disabled
sc stop "TMPMService"

🧯 If You Can't Patch

  • Remove Trend Micro Password Manager entirely if not needed
  • Implement strict file system permissions and monitor for unauthorized DLL files in program directories

🔍 How to Verify

Check if Vulnerable:

Check installed version in Control Panel > Programs and Features or via 'About' in Trend Micro Password Manager

Check Version:

wmic product where "name like 'Trend Micro Password Manager%'" get version

Verify Fix Applied:

Confirm version is 5.0.0.1263 or higher and test DLL loading behavior

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing DLL loading from unusual locations
  • Process Monitor logs showing installer loading unexpected DLLs

Network Indicators:

  • No network indicators - local exploitation only

SIEM Query:

EventID=7 AND (ImagePath:*Trend Micro* AND ImageLoaded:*dll) AND NOT (ImageLoaded:*System32* OR ImageLoaded:*Program Files*)

📊 Metadata

CVE ID: CVE-2022-26337
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-427
Published: March 8, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26337, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)