Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49213 but is in a different method.
AnalysisAI
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.
Technical ContextAI
The vulnerability exists in Trend Micro Endpoint Encryption PolicyServer's deserialization handling (CWE-477: Unsafe Deserialization). The PolicyServer component accepts serialized objects from remote clients without proper validation before deserializing them. This is a classic unsafe deserialization flaw where untrusted input is reconstructed into arbitrary objects, allowing attackers to trigger gadget chains or instantiate malicious classes. The vulnerability is network-accessible (AV:N) with no authentication required (PR:N), indicating it likely affects unauthenticated API endpoints or service ports exposed on the network. The existence of a similarly-numbered CVE (CVE-2025-49213) in the same product suggests multiple deserialization code paths or methods within PolicyServer that lack proper input validation—a systemic architectural issue.
RemediationAI
- IMMEDIATE: Apply security patches from Trend Micro for Endpoint Encryption PolicyServer as released in the official security advisory. 2. INTERIM MITIGATIONS: Restrict network access to PolicyServer ports (typically 443/HTTPS and other service ports) using firewall rules—limit access to trusted management networks only. Disable public internet exposure of PolicyServer. 3. MONITORING: Enable detailed logging on PolicyServer for deserialization events and monitor for suspicious serialized object patterns in network traffic. 4. UPGRADE: Prioritize patching to the latest Trend Micro Endpoint Encryption version that includes the fix for CVE-2025-49217. Consult Trend Micro's security advisory page for specific patch versions and download links. 5. VALIDATION: After patching, verify functionality of PolicyServer and endpoint encryption policies across managed endpoints.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-477 – Use of Obsolete Function
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18650