Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method.
AnalysisAI
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization in an unnamed method. An unauthenticated attacker on the network can exploit this over the network without user interaction to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively monitored and represents a critical threat requiring immediate patching.
Technical ContextAI
The vulnerability exists in the deserialization processing logic of Trend Micro Endpoint Encryption PolicyServer's network-accessible service component. CWE-477 (Use of Obsolete Function) combined with insecure deserialization practices represents a dangerous pattern where untrusted serialized objects are reconstructed without proper validation. The PolicyServer component handles encryption policy distribution and management across enterprise endpoints; its network-facing position makes it an attractive target. The similarity to CVE-2025-49220 (affecting a different method in the same product) suggests a systemic issue with deserialization handling across multiple code paths within the PolicyServer service, potentially indicating the use of legacy or unsafe serialization frameworks without proper input validation.
RemediationAI
Immediate actions: (1) Consult the official Trend Micro security advisory for CVE-2025-49212 to identify your installed version's vulnerability status; (2) Apply vendor-released security patches immediately upon availability—do not delay; (3) If patches are not yet available, implement network segmentation to restrict access to PolicyServer to trusted administrative networks only, removing direct internet accessibility; (4) Monitor PolicyServer logs for suspicious serialization-related errors or unexpected connection attempts; (5) Consider temporary disablement of PolicyServer if operationally feasible until patches are deployed and tested; (6) Review and strengthen authentication mechanisms for any management interfaces as a defense-in-depth measure. References to patches should be obtained directly from Trend Micro's official security portal.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-477 – Use of Obsolete Function
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18640