CVE-2025-30640
📋 TL;DR
A link following vulnerability in Trend Micro Deep Security 20.0 agents allows local attackers to escalate privileges on affected systems. Attackers must first gain low-privileged code execution on the target machine to exploit this vulnerability. This affects organizations using Trend Micro Deep Security 20.0 agents.
💻 Affected Systems
- Trend Micro Deep Security Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, enabling complete control over the affected endpoint, data exfiltration, and lateral movement within the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM/root privileges, allowing installation of persistent malware, disabling security controls, and accessing sensitive system resources.
If Mitigated
Limited impact with proper endpoint security controls, network segmentation, and least privilege principles in place, potentially containing the escalation to isolated systems.
🎯 Exploit Status
Requires attacker to already have code execution on the target system with low privileges. The vulnerability involves improper handling of symbolic links or junctions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Deep Security Agent 20.0.1-2967 or later
Vendor Advisory: https://success.trendmicro.com/en-US/solution/KA-0019344
Restart Required: Yes
Instructions:
1. Log into Deep Security Manager. 2. Navigate to Computers > Agent Status. 3. Select affected agents. 4. Click Actions > Update Agent. 5. Follow prompts to deploy updated agent version 20.0.1-2967 or later. 6. Restart affected systems after update completes.
🔧 Temporary Workarounds
Restrict local user privileges
allImplement least privilege principles to limit what low-privileged users can execute on systems
Enable application control
allUse application whitelisting to prevent unauthorized code execution
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Deep Security agents from critical systems
- Deploy additional endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Deep Security Agent version: On Windows: Open Services, find 'Trend Micro Deep Security Agent', check version in properties. On Linux: Run 'dsa_control -a' or check /opt/ds_agent/version.txtCheck Version:
Windows: sc query "Trend Micro Deep Security Agent" | find "VERSION" | Linux: cat /opt/ds_agent/version.txtVerify Fix Applied:
Verify agent version is 20.0.1-2967 or later using the same commands above📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Deep Security Agent directories
- Multiple failed privilege escalation attempts in system logs
- Suspicious symbolic link creation in system directories
Network Indicators:
- Unusual outbound connections from Deep Security Agent processes
- Lateral movement attempts from patched systems
SIEM Query:
Process creation where parent_process_name contains 'dsa' AND (process_name contains 'cmd.exe' OR process_name contains 'powershell.exe' OR process_name contains 'bash')