CVE-2025-30642 Overview
A link following vulnerability (CWE-59) has been identified in Trend Micro Deep Security 20.0 agents that could allow a local attacker to create a denial of service (DoS) condition on affected Windows installations. This vulnerability requires an attacker to first obtain the ability to execute low-privileged code on the target system before exploitation is possible.
Critical Impact
Local attackers with low-privileged access can cause service disruption through symbolic link manipulation, potentially impacting system availability and security monitoring capabilities.
Affected Products
- Trend Micro Deep Security Agent 20.0.1 (Long Term Support) - all updates up to and including update 23340
- Trend Micro Deep Security Agent 20.0.1 with updates: 690, 3180, 4540, 7380, 9400, 12510, 14610, 17380, 19250, 21510, 23340
- Microsoft Windows (as the affected operating system platform)
Discovery Timeline
- 2025-06-17 - CVE-2025-30642 published to NVD
- 2025-09-09 - Last updated in NVD database
Technical Details for CVE-2025-30642
Vulnerability Analysis
This link following vulnerability (symlink attack) allows a local attacker with low-privileged access to manipulate file system operations performed by the Deep Security Agent. The vulnerability stems from improper handling of symbolic links or junction points during file operations, enabling an attacker to redirect privileged file operations to unintended targets.
When the Deep Security Agent performs file operations with elevated privileges, it fails to adequately verify whether the target path has been manipulated through symbolic links. An attacker can exploit this behavior to cause the agent to perform operations on arbitrary files or directories, resulting in service disruption.
The attack requires local access and low-privilege code execution, meaning the attacker must already have a foothold on the target system. However, once that prerequisite is met, no user interaction is required to trigger the vulnerability.
Root Cause
The root cause is improper link resolution (CWE-59: Improper Link Resolution Before File Access) in the Deep Security Agent's file handling routines. The agent does not perform adequate validation to ensure that file paths being accessed or modified have not been replaced with symbolic links pointing to sensitive system resources or files critical to the agent's operation.
This type of vulnerability commonly occurs when:
- File operations are performed in directories where unprivileged users have write access
- The software follows symbolic links without verifying the final target
- Race conditions exist between checking a path and using it (TOCTOU)
Attack Vector
The attack vector is local, requiring an attacker to already have code execution capability on the target Windows system. The exploitation flow involves:
- Identifying a predictable file path used by the Deep Security Agent during privileged operations
- Creating a symbolic link (junction point on Windows) at that location pointing to a critical system file or the agent's own operational files
- Waiting for or triggering the agent to perform the vulnerable file operation
- The agent follows the malicious link and performs the operation on the unintended target, causing service disruption
The vulnerability can be triggered without user interaction once the malicious link is in place. The impact is limited to availability (denial of service) as there is no indication of confidentiality or integrity compromise.
Detection Methods for CVE-2025-30642
Indicators of Compromise
- Unexpected symbolic links or junction points created in directories used by the Deep Security Agent
- Deep Security Agent service crashes or unexpected restarts
- File system audit events showing unusual link creation in agent installation or working directories
- System logs indicating file access errors from the Deep Security Agent process
Detection Strategies
- Monitor for creation of symbolic links or junction points in Trend Micro Deep Security Agent installation directories and temp folders
- Enable Windows Security Event logging for file system symbolic link creation (Event ID 4663 with appropriate audit policies)
- Deploy endpoint detection rules to identify processes creating junction points in protected directories
- Monitor Deep Security Agent service health and alert on unexpected service interruptions
Monitoring Recommendations
- Implement file integrity monitoring on Deep Security Agent installation directories
- Configure alerting for Deep Security Agent service availability issues
- Review Windows Security logs for unusual file system operations by low-privileged users in agent-related paths
- Establish baseline behavior for the ds_agent process and alert on deviations
How to Mitigate CVE-2025-30642
Immediate Actions Required
- Update Trend Micro Deep Security Agent to the latest patched version as specified in the vendor advisory
- Review and restrict write permissions to directories used by the Deep Security Agent where possible
- Monitor for exploitation attempts using the detection strategies outlined above
- Implement principle of least privilege to limit local code execution opportunities for potential attackers
Patch Information
Trend Micro has released patches to address this vulnerability. Administrators should consult the Trend Micro Solution KA-0019344 for specific patch versions and upgrade instructions. Additional technical details are available in the Zero Day Initiative Advisory ZDI-25-241.
Organizations using Deep Security Agent 20.0.1 Long Term Support should prioritize updating to a version that addresses this vulnerability. Verify the update through the Deep Security Manager console or by checking the agent version on individual endpoints.
Workarounds
- Restrict local user accounts and limit the ability for unprivileged users to execute code on protected systems
- Apply strict NTFS permissions on Deep Security Agent directories to prevent unauthorized symlink creation
- Use Windows Group Policy to restrict symbolic link creation capabilities where feasible
- Implement additional monitoring and alerting for Deep Security Agent service health until patches can be applied
# Verify Deep Security Agent version on Windows
# Run from elevated PowerShell prompt
Get-ItemProperty "HKLM:\SOFTWARE\TrendMicro\Deep Security Agent" | Select-Object -Property Version
# Check service status
Get-Service -Name "ds_agent" | Select-Object Name, Status, StartType
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
