Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations. This is similar to, but not identical to CVE-2025-49215.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
AnalysisAI
Post-authentication SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that allows low-privileged authenticated users to escalate privileges through SQL injection attacks. The vulnerability has a CVSS score of 7.7 (high severity) with significant impact on confidentiality, integrity, and availability. While this is a post-auth vulnerability requiring initial low-privileged code execution, successful exploitation enables privilege escalation, making it a critical concern for organizations running affected PolicyServer instances.
Technical ContextAI
This vulnerability exploits improper input validation in SQL query construction within Trend Micro Endpoint Encryption PolicyServer (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The PolicyServer component, which manages encryption policies across endpoints, fails to properly sanitize user-supplied input before incorporating it into SQL queries. Unlike pre-authentication SQL injection, this variant requires the attacker to already have low-privileged access to the system, reducing the attack surface but increasing post-compromise risk. The vulnerability is similar to but distinct from CVE-2025-49215, suggesting a class of related SQL injection issues in the same product line that may indicate systemic input validation weaknesses in the PolicyServer codebase.
RemediationAI
- Apply vendor-supplied security patches from Trend Micro immediately upon availability. Check Trend Micro's official security advisory portal for CVE-2025-49218 patch details and affected version numbers. 2. Implement access controls limiting local system access to PolicyServer to authorized administrators only. 3. Restrict PolicyServer database access to authenticated, authorized users through role-based access control (RBAC). 4. Monitor PolicyServer logs for suspicious SQL patterns or unusual database query activity that may indicate exploitation attempts. 5. Implement input validation and parameterized/prepared SQL statements in any custom scripts or integrations with PolicyServer. 6. Consider network segmentation to restrict PolicyServer access to trusted administrative networks only. 7. Maintain current backups of PolicyServer database and configurations to enable rapid recovery if compromise occurs.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18560