CVE-2021-32466: 
Trend Micro HouseCall for Home Networks vulnerability analysis and mitigation

An uncontrolled search path element privilege escalation vulnerability was discovered in Trend Micro HouseCall for Home Networks version 5.3.1225 and below. The vulnerability, identified as CVE-2021-32466, was disclosed on September 23, 2021, affecting Windows-based installations of the software (Trend Advisory, ZDI Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.0 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from an uncontrolled search path element that could allow an attacker to escalate privileges by placing a custom crafted file in a specific directory to load a malicious library (Trend Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with elevated privileges on the affected system. However, the attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability (Trend Advisory).

Trend Micro has released version 5.3.1285 to address this vulnerability. The fix is available through both a manual download and the product's ActiveUpdate automatic update mechanism. Users are advised to ensure their systems are updated to the latest version (Trend Advisory).

The vulnerability was responsibly disclosed by Xavier Danest from Decathlon, working with Trend Micro's Zero Day Initiative (Trend Advisory).