CVE-2022-28339

Trend Micro HouseCall for Home Networks version 5.3.1302 and below is affected by CVE-2022-28339, an uncontrolled search path element vulnerability (CWE-427). This flaw allows an attacker with low user privileges to create a malicious DLL, potentially leading to escalated privileges. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access required, low attack complexity, low privileges needed, and user interaction.

An attacker must have local access to the system and low-level user privileges to exploit this vulnerability. Exploitation requires user interaction, such as the victim running a specially crafted file or process that loads the attacker's malicious DLL due to the uncontrolled search path. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, enabling the attacker to escalate privileges on the affected system.

For mitigation details, refer to the Trend Micro advisory at https://helpcenter.trendmicro.com/en-us/article/tmka-21734 and the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-22-620/, which provide information on patches and remediation steps.