Login Sign Up

CVE-2022-28394

7.8 HIGH

📋 TL;DR

This vulnerability in Trend Micro Password Manager installer versions 3.7.0.1223 and below allows attackers to execute arbitrary code by placing malicious DLLs in locations the installer searches. It affects users running outdated, end-of-life versions of the consumer password manager software.

💻 Affected Systems

Products:
  • Trend Micro Password Manager (Consumer)
Versions: 3.7.0.1223 and below
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: This affects the installer component specifically. The product is end-of-life (EOL) and no longer supported.

📦 What is this software?

Password Manager by Trendmicro

View all CVEs affecting Password Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining administrative privileges and complete control over the affected system.

🟠

Likely Case

Local privilege escalation allowing attackers to install malware, steal credentials, or persist on the system.

🟢

If Mitigated

Limited impact if proper file permissions and execution controls prevent DLL planting in vulnerable directories.

🌐 Internet-Facing: LOW - Requires local access or ability to place files on target system.
🏢 Internal Only: MEDIUM - Internal attackers or malware with local access could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires local access to plant malicious DLLs in directories searched by the installer.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.x (latest supported version)

Vendor Advisory: https://helpcenter.trendmicro.com/ja-jp/article/TMKA-10977

Restart Required: Yes

Instructions:

1. Uninstall affected version (3.7.0.1223 or below)
2. Download latest version 5.x from Trend Micro website
3. Install new version
4. Restart system

🔧 Temporary Workarounds

Restrict DLL search path permissions

windows

Set strict permissions on directories the installer searches to prevent unauthorized DLL placement

icacls "C:\Program Files\Trend Micro\Password Manager" /deny Everyone:(OI)(CI)W

🧯 If You Can't Patch

  • Uninstall Trend Micro Password Manager completely
  • Use alternative password manager software

🔍 How to Verify

Check if Vulnerable:

Check installed version in Control Panel > Programs and Features. If version is 3.7.0.1223 or below, system is vulnerable.

Check Version:

wmic product where "name like 'Trend Micro Password Manager%'" get version

Verify Fix Applied:

Verify version is 5.x or higher in installed programs list and check that installer directory permissions are properly restricted.

📡 Detection & Monitoring

Log Indicators:

  • Failed DLL loading attempts from Password Manager installer
  • Unusual process creation from Password Manager directory

Network Indicators:

  • None - local exploitation only

SIEM Query:

Process Creation where Image contains 'Password Manager' and CommandLine contains 'install' or 'setup'

📊 Metadata

CVE ID: CVE-2022-28394
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-427
Published: May 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28394, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)