CVE-2022-30523 – This vulnerability in Trend Micro Password Mana... (How to Fix)

Q: What is the severity of CVE-2022-30523?

CVE-2022-30523 has a CVSS score of 7.8 (HIGH). This vulnerability in Trend Micro Password Manager allows a local attacker with low privileges to delete arbitrary folder contents with SYSTEM-level permissions, potentially leading to privilege escalation. It affects users of Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below. Attackers must have local access to the system to exploit this flaw.

📋 TL;DR

This vulnerability in Trend Micro Password Manager allows a local attacker with low privileges to delete arbitrary folder contents with SYSTEM-level permissions, potentially leading to privilege escalation. It affects users of Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below. Attackers must have local access to the system to exploit this flaw.

💻 Affected Systems

Products:

Trend Micro Password Manager (Consumer)

Versions: 5.0.0.1266 and below

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the consumer version, not enterprise versions. Requires local access to the system.

📦 What is this software?

Password Manager by Trendmicro

View all CVEs affecting Password Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM privileges on the affected machine, enabling complete system compromise, data theft, malware installation, or persistence establishment.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, access protected data, or install additional malicious software.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though local attackers could still cause data loss through folder deletion.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local system access.

🏢 Internal Only: HIGH - Any local user with low privileges could potentially exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access with low privileges. The vulnerability involves link following to manipulate folder deletion operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.0.1267 or later

Vendor Advisory: https://helpcenter.trendmicro.com/en-us/article/tmka-09071

Restart Required: Yes

Instructions:

1. Open Trend Micro Password Manager. 2. Check for updates in settings. 3. Install available updates. 4. Restart the application or system as prompted.

🔧 Temporary Workarounds

Restrict Local Access

windows

Limit local user access to systems running vulnerable versions

Monitor Folder Deletion Events

windows

Enable auditing for folder deletion operations in Windows Event Logs

auditpol /set /subcategory:"File System" /success:enable /failure:enable

🧯 If You Can't Patch

Uninstall Trend Micro Password Manager if not essential
Implement strict least privilege access controls and monitor for suspicious local activity

🔍 How to Verify

Check if Vulnerable:

Check Trend Micro Password Manager version in application settings or Control Panel > Programs and Features

Check Version:

wmic product where name="Trend Micro Password Manager" get version

Verify Fix Applied:

Verify version is 5.0.0.1267 or higher after updating

📡 Detection & Monitoring

Log Indicators:

Unexpected folder deletion events in Windows Security logs
SYSTEM account performing unusual file operations

Network Indicators:

Local privilege escalation typically has minimal network indicators

SIEM Query:

EventID=4663 AND ObjectType="File" AND AccessMask="0x10000" AND SubjectUserName="SYSTEM" AND ProcessName contains "Password Manager"

📊 Metadata

CVE ID: CVE-2022-30523

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: May 16, 2022

Last Updated: November 21, 2024

🔗 References

https://helpcenter.trendmicro.com/en-us/article/tmka-09071 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-759/ Third Party Advisory,VDB Entry
https://helpcenter.trendmicro.com/en-us/article/tmka-09071 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-759/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30523, you might also want to check these: