Trend Micro Addresses Critical Vulnerabilities Across Multiple Product Lines

Trend Micro has announced the release of security updates to remediate multiple critical-severity vulnerabilities affecting its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. The company has reported no active exploitation of these vulnerabilities at present, yet it strongly advises prompt application of the updates to mitigate potential risks.

Trend Micro Endpoint Encryption PolicyServer functions as a centralized management server for TMEE, delivering full disk encryption and removable media encryption for Windows-based endpoints. This product is integral in organizational settings, especially within regulated industries that prioritize compliance with data protection standards.

The recent update addresses several high-severity and critical vulnerabilities, including:

• CVE-2025-49212 – A pre-authentication remote code execution vulnerability resulting from insecure deserialization in the PolicyValueTableSerializationBinder class, enabling remote attackers to execute arbitrary code with SYSTEM privileges without needing to log in.
• CVE-2025-49213 – Another pre-authentication remote code execution vulnerability found in the PolicyServerWindowsService class, also linked to deserialization of untrusted data, permitting execution of arbitrary code as SYSTEM without authentication.
• CVE-2025-49216 – An authentication bypass vulnerability in the DbAppDomain service, due to flawed authentication implementation, which allows unauthorized access for remote attackers, permitting administrative actions without credentials.
• CVE-2025-49217 – A pre-authentication RCE vulnerability in the ValidateToken method triggered by unsafe deserialization that, while more complex to exploit, still enables unauthenticated attackers to execute code with SYSTEM privileges.

It is noteworthy that although Trend Micro’s security bulletin categorizes all these vulnerabilities as critical, the Zero Day Initiative (ZDI) rated CVE-2025-49217 as high severity.

Additionally, the latest version of Endpoint Encryption PolicyServer addresses four other high-severity vulnerabilities involving SQL injection and privilege escalation. These vulnerabilities were resolved in version 6.0.0.4013 (Patch 1 Update 6), impacting all versions up to the latest. There are no recommended mitigations or workarounds available.

A separate set of issues addressed by Trend Micro affects Apex Central, the centralized security management console utilized for monitoring and managing various Trend Micro products across organizations. The identified vulnerabilities are also of critical-severity and pertain to pre-authentication remote code execution:

• CVE-2025-49219 – A pre-authentication RCE vulnerability in the GetReportDetailView method of Apex Central, resulting from insecure deserialization, which allows unauthenticated attackers to execute code within the NETWORK SERVICE context (CVSS 9.8).
• CVE-2025-49220 – A pre-auth RCE issue in Apex Central within the ConvertFromJson method, where improper input validation during deserialization enables remote arbitrary code execution without authentication (CVSS 9.8).

These vulnerabilities were remedied in Patch B7007 for Apex Central 2019 (on-premise), with automatic application on the backend for Apex Central as a Service.