Unauthenticated RCE and Login Bypass Risks in Trend Micro Security Tools

Trend Micro has released critical security updates to address six major vulnerabilities affecting its Endpoint Encryption PolicyServer and Apex Central platforms. These flaws allow unauthenticated remote attackers to achieve remote code execution or bypass authentication without user interaction. All vulnerabilities stem from unsafe deserialization or flawed authentication logic, posing a significant threat if left unpatched. No active exploitation has been observed as of the disclosure date, but urgent patching is strongly recommended.

Severity Level: Critical

Vulnerability Details

1. Vulnerabilities in TMEE PolicyServer:

• CVE-2025-49212
  • Type: Pre-authentication Remote Code Execution
  • CVSS Score: 9.8
  • Root Cause: Insecure deserialization in PolicyValueTableSerializationBinder class
  • Impact: Allows unauthenticated remote attackers to execute arbitrary code as SYSTEM

• CVE-2025-49213
  • Type: Pre-authentication Remote Code Execution
  • CVSS Score: 9.8
  • Root Cause: Deserialization of untrusted data in PolicyServerWindowsService
  • Impact: Attackers can execute arbitrary code as SYSTEM without authentication

• CVE-2025-49216
  • Type: Authentication Bypass
  • CVSS Score: 9.8
  • Root Cause: Broken authentication logic in DbAppDomain service
  • Impact: Full administrative access without credentials

• CVE-2025-49217
  • Type: Pre-authentication Remote Code Execution
  • CVSS Score: 8.1
  • Root Cause: Unsafe deserialization in ValidateToken method
  • Impact: Code execution as SYSTEM; harder to exploit but still possible

2. Vulnerabilities in Apex Central:

• CVE-2025-49219
  • Type: Pre-authentication Remote Code Execution
  • CVSS Score: 9.8
  • Root Cause: Insecure deserialization in GetReportDetailView
  • Impact: Allows unauthenticated attackers to execute code as NETWORK SERVICE

• CVE-2025-49220
  • Type: Pre-authentication Remote Code Execution
  • CVSS Score: 9.8
  • Root Cause: Improper input validation during deserialization in ConvertFromJson
  • Impact: Remote attackers can execute arbitrary code without login

Affected Products

1. Trend Micro Endpoint Encryption (TMEE) PolicyServer – Versions before 6.0.0.4013
2. Trend Micro Apex Central 2019 (on-premises)

Recommendations

1. Apply Patch 1 Update 6 for TMEE Policy Server and Patch B7007 for Apex Central on-premises deployments.
2. Exploiting these types of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, Trend Micro customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up to date.
3. Restrict access to the Policy Server and Apex Central interfaces to internal IPs only.
4. Conduct internal audits for unauthorized access or privilege escalation.

Source:

• https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critical-flaws-on-apex-central-endpoint-encryption-policyserver/
• https://www.zerodayinitiative.com/advisories/ZDI-25-369/
• https://www.zerodayinitiative.com/advisories/ZDI-25-370/
• https://www.zerodayinitiative.com/advisories/ZDI-25-373/
• https://www.zerodayinitiative.com/advisories/ZDI-25-374/
• https://www.zerodayinitiative.com/advisories/ZDI-25-366/
• https://www.zerodayinitiative.com/advisories/ZDI-25-367/
• https://success.trendmicro.com/en-US/solution/KA-0019928
• https://success.trendmicro.com/en-US/solution/KA-0019926

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.