CVE-2022-28339

High

Published: 22 February 2025

Published

22 February 2025

Modified

29 July 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28339 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Trendmicro Housecall For Home Networks. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, testing, and installation of software patches to remediate the specific uncontrolled search path vulnerability in CVE-2022-28339.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings such as safe DLL search mode to prevent loading of malicious DLLs from uncontrolled paths exploited in CVE-2022-28339.

AC-6 Least Privilege partial match

prevent

Implements least privilege to restrict low-privilege attackers from achieving successful privilege escalation even if a malicious DLL is loaded via CVE-2022-28339.

NVD Description

Trend Micro HouseCall for Home Networks version 5.3.1302 and below contains an uncontrolled search patch element vulnerability that could allow an attacker with low user privileges to create a malicious DLL that could lead to escalated privileges.

Deeper analysisAI

Trend Micro HouseCall for Home Networks version 5.3.1302 and below is affected by CVE-2022-28339, an uncontrolled search path element vulnerability (CWE-427). This flaw allows an attacker with low user privileges to create a malicious DLL, potentially leading to escalated privileges. The vulnerability has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access required, low attack complexity, low privileges needed, and user interaction.

An attacker must have local access to the system and low-level user privileges to exploit this vulnerability. Exploitation requires user interaction, such as the victim running a specially crafted file or process that loads the attacker's malicious DLL due to the uncontrolled search path. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, enabling the attacker to escalate privileges on the affected system.

For mitigation details, refer to the Trend Micro advisory at https://helpcenter.trendmicro.com/en-us/article/tmka-21734 and the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-22-620/, which provide information on patches and remediation steps.

Details

CWE(s): CWE-427

Affected Products

trendmicro

housecall for home networks

≤ 5.3.1308

CVEs Like This One

CVE-2025-69260Same product: Microsoft Windows

CVE-2025-69259Same product: Microsoft Windows

CVE-2025-33229Same product: Microsoft Windows

CVE-2026-22561Same product: Microsoft Windows

CVE-2025-57836Same product: Microsoft Windows

CVE-2025-53378Same product: Microsoft Windows

CVE-2024-55540Same product: Microsoft Windows

CVE-2025-69258Same product: Microsoft Windows

CVE-2025-15558Same product: Microsoft Windows

CVE-2024-55543Same product: Microsoft Windows

References

https://helpcenter.trendmicro.com/en-us/article/tmka-21734
Vendor Advisory · security@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-22-620/
Third Party Advisory · security@trendmicro.com