CVE-2025-3771 – A path traversal vulnerability in SIR 1.0.3 and... (How to Fix)

Q: What is the severity of CVE-2025-3771?

CVE-2025-3771 has a CVSS score of 7.1 (HIGH). A path traversal vulnerability in SIR 1.0.3 and earlier allows authenticated non-admin local users to overwrite system files by manipulating backup file paths. This can lead to system crashes or potentially privilege escalation. Only affects systems running vulnerable versions of SIR with authenticated local users.

📋 TL;DR

A path traversal vulnerability in SIR 1.0.3 and earlier allows authenticated non-admin local users to overwrite system files by manipulating backup file paths. This can lead to system crashes or potentially privilege escalation. Only affects systems running vulnerable versions of SIR with authenticated local users.

💻 Affected Systems

Products:

Trellix SIR (Security Incident Response)

Versions: 1.0.3 and prior versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated local user access; admin privileges not needed for exploitation.

📦 What is this software?

System Information Reporter by Trellix

View all CVEs affecting System Information Reporter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via privilege escalation leading to data theft, ransomware deployment, or persistent backdoors.

🟠

Likely Case

System instability or crashes from critical file overwrites, requiring system restoration and causing downtime.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, potentially only causing service disruption.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over network.

🏢 Internal Only: HIGH - Exploitable by any authenticated local user, including low-privilege accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of registry manipulation or symbolic link creation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.4 or later

Vendor Advisory: https://thrive.trellix.com/s/article/000014635

Restart Required: Yes

Instructions:

1. Download SIR 1.0.4 or later from Trellix support portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart system after installation completes.

🔧 Temporary Workarounds

Restrict Registry Access

windows

Limit write access to Trellix SIR registry keys to administrators only

reg add "HKLM\SOFTWARE\Trellix\SIR" /v BackupPath /t REG_SZ /d "C:\ProgramData\Trellix\SIR\Backups" /f
icacls "HKLM\SOFTWARE\Trellix\SIR" /inheritance:r /grant:r "Administrators:(F)" /grant:r "SYSTEM:(F)"

Disable Symbolic Link Creation

windows

Prevent non-admin users from creating symbolic links via group policy

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> 'Create symbolic links' -> Remove all users except Administrators

🧯 If You Can't Patch

Restrict local user accounts to only trusted personnel with minimal privileges
Implement file integrity monitoring on critical system directories

🔍 How to Verify

Check if Vulnerable:

Check SIR version via Control Panel Programs or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Trellix\SIR\Version

Check Version:

reg query "HKLM\SOFTWARE\Trellix\SIR" /v Version

Verify Fix Applied:

Verify version is 1.0.4 or higher and test backup functionality with non-admin user

📡 Detection & Monitoring

Log Indicators:

Unexpected file modifications in system directories
Failed backup operations with path traversal patterns
Registry modifications to SIR backup paths by non-admin users

Network Indicators:

None - local exploitation only

SIEM Query:

EventID=4656 OR EventID=4663 AND ObjectName LIKE '%\system32\%' AND SubjectUserName NOT IN ('SYSTEM','Administrator')

📊 Metadata

CVE ID: CVE-2025-3771

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-59

EPSS Score: 0.02% exploit probability (4.4th percentile)

Published: June 26, 2025

Last Updated: February 11, 2026

🔗 References

https://thrive.trellix.com/s/article/000014635 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3771, you might also want to check these: