Egor Filatov, a member of PT SWARM, helped address a critical vulnerability in antivirus software developed by the Japanese company Trend Micro. This security flaw put Apple users at risk—even those who had already uninstalled the antivirus application from their computers. If exploited, the vulnerability could allow an attacker to compromise user data. In cases involving corporate devices, an attacker could also disrupt the organization's business operations.
The vulnerability, tracked as PT-2025-428311 (CVE-2025-59931, BDU:2025-04878) scored 7 out of 10 on the CVSS 4.0 scale, indicating a high level of risk. It affected Trend Micro Antivirus version 11.8.1283. If exploited, the bug could enable attackers to escalate their privileges on macOS devices, granting unrestricted access to perform arbitrary actions on the affected system.
The vendor was notified of the threat under the responsible disclosure policy and has released security updates. To stay protected, users should update their antivirus software to version 11.8.1400 or 11.9.36. If updating is not possible, Positive Technologies recommends locating the executable file of the background process in the \Library\LaunchDaemons\ directory and moving it to \Library\PrivilegedHelperTools\. If the vulnerable software was previously uninstalled, it is important to also remove the corresponding executable file.
Trend Micro solutions are used by more than 500,000 organizations worldwide. The company has offices in the United States, Canada, Japan, the Asia-Pacific region, Latin America, Europe, the Middle East, and Africa. According to IDC, Trend Micro accounted for nearly 8% of the global endpoint security market in 2022, ranking third among the world's leading vendors.
1 The security vulnerability has been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
"Trend Micro Antivirus installs a privileged component on the user's computer, enabling the software to scan system files and block malware. After uninstalling the vulnerable version of the antivirus, this component would remain in a directory accessible to any user. To exploit this vulnerability, an attacker would simply need to gain access to the system—for example, by using malware disguised as regular software. Then, using the leftover antivirus component, the attacker could escalate their privileges to superuser (root) level."
Egor FilatovJunior Mobile Application Security Researcher at Positive Technologies
With elevated privileges, attackers could theoretically gain complete control over a victim's computer, which also includes the ability to read and modify sensitive information. Root access would allow them to steal passwords and other confidential data, deploy ransomware, or maintain persistent access to the system. If the compromised computer is connected to a corporate network, the attacker could establish a foothold in the network to exfiltrate trade secrets or disrupt the organization's business processes.
In 2024, Dmitry Zuzlov, another researcher with PT SWARM, assisted in fixing two vulnerabilities (CVE-2024-7400 and CVE-2024-6654) in ESET's antivirus software. These flaws could have enabled attackers to escalate privileges on Windows systems or disable antivirus protection on macOS devices.
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.