EUVD-2025-18647CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49212 but is in a different method.
Analysis
Critical pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. An unauthenticated attacker can exploit this vulnerability over the network with no user interaction required to achieve complete system compromise (confidentiality, integrity, and availability impact). This vulnerability is actively being tracked and should be prioritized for immediate patching as it requires no privileges or complex attack conditions.
Technical Context
The vulnerability exists in Trend Micro Endpoint Encryption PolicyServer and stems from unsafe deserialization practices (CWE-477: Deserialization of Untrusted Data). The PolicyServer likely deserializes untrusted data from network requests without proper validation, allowing an attacker to instantiate arbitrary objects and execute code during the deserialization process. This is similar to CVE-2025-49212 but occurs in a different code method, suggesting a systematic pattern of insecure deserialization across multiple functions in the PolicyServer component. The vulnerability is accessible pre-authentication, meaning no valid credentials are required to trigger it. The affected product is Trend Micro Endpoint Encryption, specifically the PolicyServer component which manages encryption policies for endpoints.
Affected Products
Trend Micro Endpoint Encryption PolicyServer - specific version numbers not provided in CVE description but likely affects multiple versions. Based on product architecture, the PolicyServer component is deployed as a centralized management server for endpoint encryption policies across Windows and potentially Linux environments. Organizations using Trend Micro Endpoint Encryption for centralized policy management are affected. Typical deployment scenarios: PolicyServer running on Windows Server or Linux in data centers or cloud environments managing multiple endpoints. CPE identification would be: cpe:2.3:a:trendmicro:endpoint_encryption:*:* with PolicyServer component affected.
Remediation
1) IMMEDIATE: Apply the latest security patch from Trend Micro for Endpoint Encryption PolicyServer when released - monitor Trend Micro security advisory pages for CVE-2025-49213 patch availability; 2) INTERIM MITIGATION: If patch is not immediately available, implement network-level controls restricting access to PolicyServer ports (typically 443/HTTPS for management interface) to trusted administrative networks only; 3) Disable PolicyServer network access if not actively required; 4) Implement Web Application Firewall (WAF) rules to detect and block suspicious deserialization payloads if PolicyServer traffic analysis signatures are available; 5) Monitor PolicyServer logs for suspicious deserialization errors or unexpected object instantiation attempts; 6) Plan emergency patching procedures given pre-authentication RCE severity; 7) Verify patch installation includes fixes for both CVE-2025-49213 and the related CVE-2025-49212 to ensure comprehensive remediation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today