Trend Micro Password Manager may insecurely load Dynamic Link Libraries


Password Manager provided by Trend Micro Incorporated contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [NVD Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 4.4 (Medium) [NVD Score]
  • Access Vector: Local
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Trend Micro, Inc.
  • Password Manager 5.x for Windows prior to versions


During the installation of the product, arbitrary program may be executed with the privilege of the user invoking the installer.

[Update the Software]
If the product is already installed, update to the latest version according to the information provided by the developer.
The update that addresses this vulnerability is available and is automatically applied through the product's ActiveUpdate automatic update feature.
The issue is addressed in the following version:

* Password Manager for Windows

[Use the latest version]
Use the latest version when installing the product.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Uncontrolled Search Path Element(CWE-427) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2021-28647

  1. JVN : JVNVU#98074915
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2021-28647
Revision History

  • [2021/04/20]
      Web page was published