CVE-2021-32462: Trend Micro Password Manager Remote Code Execution Vulnerability

On June 28, 2021, Trend Micro released a risk notice for the security update of the password manager, the vulnerability number is CVE-2021-32461 (CVSSv3 Scores: 7.0), CVE-2021-32462 (CVSSv3 Scores 8.8).
Trend Micro Windows Password Manager has a remote code execution vulnerability. Attackers can use this vulnerability to execute arbitrary code with SYSTEM and take over the user’s computer.

Vulnerability Detail

CVE-2021-32461: Integer Truncation Privilege Escalation

CVSSv3: 7.0: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Integer Truncation Privilege Escalation vulnerability which could allow an unprivileged local attacker to trigger a buffer overflow and escalate privileges on affected installations.

CVE-2021-32462: Exposed Hazardous Function Remote Code Execution

CVSSv3: 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Trend Micro Password Manager (Consumer) version 5.0.0.1217 and below is vulnerable to an Exposed Hazardous Function Remote Code Execution vulnerability which could allow an unprivileged client to manipulate the registry and escalate privileges to SYSTEM on affected installations.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

In this regard, we recommend that users upgrade Trend Micro Password Manager to the latest version in time