EUVD-2025-18650
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49213 but is in a different method.
Analysis
Pre-authentication remote code execution vulnerability in Trend Micro Endpoint Encryption PolicyServer caused by insecure deserialization. Attackers can exploit this vulnerability over the network without authentication to achieve arbitrary code execution with complete system compromise (confidentiality, integrity, and availability impact). This is a critical, actively exploitable vulnerability affecting Trend Micro Endpoint Encryption deployments; similar to CVE-2025-49213 but in a different vulnerable method, indicating a pattern of insecure deserialization issues in the same product.
Technical Context
The vulnerability exists in Trend Micro Endpoint Encryption PolicyServer's deserialization handling (CWE-477: Unsafe Deserialization). The PolicyServer component accepts serialized objects from remote clients without proper validation before deserializing them. This is a classic unsafe deserialization flaw where untrusted input is reconstructed into arbitrary objects, allowing attackers to trigger gadget chains or instantiate malicious classes. The vulnerability is network-accessible (AV:N) with no authentication required (PR:N), indicating it likely affects unauthenticated API endpoints or service ports exposed on the network. The existence of a similarly-numbered CVE (CVE-2025-49213) in the same product suggests multiple deserialization code paths or methods within PolicyServer that lack proper input validation—a systemic architectural issue.
Affected Products
Trend Micro Endpoint Encryption PolicyServer (specific version ranges not provided in available data, but likely affects multiple recent versions). The PolicyServer component is a central management service for Trend Micro's endpoint encryption solution. Additional affected product variants may include: Trend Micro Endpoint Encryption (server components), Trend Micro ServerProtect with PolicyServer functionality. Organizations should consult Trend Micro's official security advisory for exact affected version ranges (e.g., PolicyServer versions prior to patch release). The vulnerability specifically impacts installations where PolicyServer is network-accessible.
Remediation
1. IMMEDIATE: Apply security patches from Trend Micro for Endpoint Encryption PolicyServer as released in the official security advisory. 2. INTERIM MITIGATIONS: Restrict network access to PolicyServer ports (typically 443/HTTPS and other service ports) using firewall rules—limit access to trusted management networks only. Disable public internet exposure of PolicyServer. 3. MONITORING: Enable detailed logging on PolicyServer for deserialization events and monitor for suspicious serialized object patterns in network traffic. 4. UPGRADE: Prioritize patching to the latest Trend Micro Endpoint Encryption version that includes the fix for CVE-2025-49217. Consult Trend Micro's security advisory page for specific patch versions and download links. 5. VALIDATION: After patching, verify functionality of PolicyServer and endpoint encryption policies across managed endpoints.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today