What is CVE-2022-4326?

CVE-2022-4326 is a medium-severity vulnerability affecting Trellix Endpoint Agent prior to version V35.31.22 on Windows. It allows local users with administrator privileges to bypass product protection mechanisms. Immediate remediation is recommended.

What is the severity of CVE-2022-4326?

CVE-2022-4326 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2022-4326 | Medium Vulnerability in Trellix Endpoint Security

CVE-2022-4326 is a medium-severity vulnerability affecting Trellix Endpoint Agent (xAgent) prior to version V35.31.22 on Windows. This vulnerability allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality. The vulnerability has a CVSS score of 5.5, indicating a moderate level of risk.

The urgency for organizations is high, as improper preservation of permissions may lead to unauthorized uninstallation of security mechanisms, potentially exposing systems to further threats. Organizations should address this vulnerability in their priority patch cycle.

Currently, there are no known exploits associated with this vulnerability, and it is not listed in the Known Exploited Vulnerabilities (KEV) catalog. However, local users with the right privileges can exploit this issue, which emphasizes the need for immediate remediation.

Organizations should prioritize patching immediately.

Vulnerability Details

This vulnerability allows a local user with administrator privileges to bypass the product protection to uninstall the agent via incorrectly applied permissions in the removal protection functionality. The CVSS score is 5.5, indicating medium severity. The affected product is Trellix Endpoint Agent, and the vulnerability was published on December 16, 2022.

The vulnerability is classified under CWE-281, which pertains to improper preservation of permissions. Organizations using the affected software should ensure they are operating on version V35.31.22 or later to mitigate this risk.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of permissions associated with the removal protection functionality. Attackers could exploit this flaw locally, requiring high privileges and some level of user interaction.

The attack complexity is low, allowing for easier exploitation. While the confidentiality impact is none, the integrity and availability impacts are significant, as unauthorized uninstallation may lead to system exposure.

Risk & Impact Analysis

Risk to organizations includes the potential for unauthorized uninstallation of critical security components, which may expose systems to further attacks. The blast radius could be significant, particularly in environments where users have elevated privileges.

Given the CVSS score of 5.5 and the lack of known exploitation, organizations should still treat this vulnerability with caution. Addressing it in the priority patch cycle is highly recommended.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of Trellix Endpoint Agent prior to V35.31.22 are affected by this vulnerability. Organizations using the affected versions should plan for immediate upgrade to mitigate risks.

Mitigation & Remediation

Organizations should prioritize patching to version V35.31.22 or later. If immediate patching is not feasible, consider implementing access controls and monitoring to limit potential exploitation.

Configuration hardening can also reduce risk. For more guidance, organizations may refer to the penetration testing services.

Detection Guidance

Monitoring logs for unusual uninstallation requests and behavioral anomalies associated with the Trellix Endpoint Agent can help detect potential exploitation attempts.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of proper permission management in security software. As organizations increasingly rely on endpoint protection, ensuring that permissions are correctly applied is crucial.

Security teams should conduct regular audits of their endpoint protection configurations and consider adopting best practices in penetration testing methodologies to identify weaknesses before they can be exploited.

Organizations should also stay informed about vulnerabilities in their software stack and ensure that they have a robust vulnerability management program in place to address risks effectively.

Ultimately, proactive measures and a strategic approach to security can mitigate the risks associated with vulnerabilities like CVE-2022-4326.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-4326: Medium Vulnerability in Trellix Endpoint Security