Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-64 (Windows快捷方式跟随(.LNK)) — Vulnerability Class 9

9 vulnerabilities classified as CWE-64 (Windows快捷方式跟随(.LNK)). AI Chinese analysis included.

CWE-64 represents a path traversal vulnerability specific to Windows environments, occurring when applications fail to validate the actual target of a .LNK shortcut file. Attackers typically exploit this weakness by crafting malicious shortcuts that point to sensitive system directories or unauthorized files outside the application’s intended control sphere. When the vulnerable software processes these shortcuts, it inadvertently grants access to resources it should not, potentially leading to data exfiltration, unauthorized modification, or privilege escalation. To mitigate this risk, developers must implement rigorous input validation that resolves symbolic links and shortcuts before processing. This involves checking the final resolved path against a whitelist of allowed directories, ensuring that the application strictly operates only within its designated security boundary and ignores any attempts to redirect execution to external, untrusted locations.

MITRE CWE Description
The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
The shortcut (file with the .lnk extension) can permit an attacker to read/write a file that they originally did not have permissions to access.
Mitigations (1)
Architecture and DesignFollow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CVE IDTitleCVSSSeverityPublished
CVE-2025-7376 Information Tampering Vulnerability in Multiple Processes of GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, IoTWorX, MC Works64, and GENESIS — GENESIS64 5.9 Medium2025-08-06
CVE-2025-53503 Trend Micro Cleaner One Pro 安全漏洞 — Trend Micro Cleaner One Pro 7.8 High2025-07-10
CVE-2025-52837 Trend Micro Password Manager 安全漏洞 — Trend Micro Password Manager 7.8 High2025-07-10
CVE-2025-52521 Trend Micro Security 安全漏洞 — Trend Micro Security (Consumer) 7.8 High2025-07-10
CVE-2025-49385 Trend Micro Security 安全漏洞 — Trend Micro Internet Security (Consumer) 7.8 High2025-06-17
CVE-2025-49384 Trend Micro Security 安全漏洞 — Trend Micro Internet Security (Consumer) 7.8 High2025-06-17
CVE-2025-48443 Trend Micro Password Manager 安全漏洞 — Trend Micro Password Manager 6.7 Medium2025-06-17
CVE-2021-41562 Deletion of arbitrary files vulnerability in Snow Agent for Windows — Snow Agent for Windows 6.1 Medium2021-11-03
CVE-2021-1492 Duo Authentication Proxy Installer Denial of Service Vulnerability — Duo Authentication Proxy 6.6 Medium2021-03-25

Vulnerabilities classified as CWE-64 (Windows快捷方式跟随(.LNK)) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.