Severity by source
AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
AnalysisAI
SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that enables privilege escalation on affected systems. The vulnerability requires an attacker to first obtain low-privileged code execution on the target system, after which SQL injection can be leveraged to escalate privileges and gain high-impact access (confidentiality compromise, integrity violation, availability disruption). With a CVSS score of 7.7 and local attack vector, this poses a significant risk to organizations running vulnerable PolicyServer instances, particularly in multi-user environments or where low-privileged service accounts are present.
Technical ContextAI
The vulnerability is a classic SQL injection flaw (CWE-89) within Trend Micro's Endpoint Encryption PolicyServer component. SQL injection occurs when user-supplied or application-controlled input is improperly sanitized before being incorporated into SQL queries, allowing attackers to manipulate query logic. In this case, an authenticated local user with low privileges can craft malicious input that breaks out of intended SQL statement boundaries, enabling them to execute arbitrary SQL commands. This likely affects the PolicyServer's database interaction layer, which manages encryption policies, user credentials, or system configurations. The local attack vector (AV:L) indicates the attacker must have prior system access; the high complexity (AC:H) suggests specific conditions or user interaction may be required to trigger the vulnerability; and the low privilege requirement (PR:L) means any authenticated local user can attempt exploitation. The scope change (S:C) indicates the vulnerability can impact resources beyond the vulnerable component itself, enabling broader system compromise.
RemediationAI
- Apply security patches from Trend Micro addressing CVE-2025-49211 to all affected PolicyServer installations—contact Trend Micro support or check the security advisory for specific patch versions and deployment procedures. 2. As an immediate interim mitigation, restrict local access to PolicyServer systems to only authorized administrators and required service accounts; implement role-based access control (RBAC) to minimize the number of low-privileged users with system access. 3. Implement database activity monitoring (DAM) on the PolicyServer database backend to detect and alert on suspicious SQL patterns or unusual query execution. 4. Apply principle of least privilege to database service accounts—ensure PolicyServer database accounts operate with minimal required permissions (no DDL/DML on non-policy tables). 5. Isolate PolicyServer systems on a dedicated network segment with restricted inbound access; use firewall rules to limit access to authorized administrative systems only. 6. If immediate patching is not feasible, consider disabling PolicyServer functionality that is not actively required, or temporarily migrating to an alternative encryption policy management solution.
More in Trend Micro
View allOn the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows
A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in
Proxy command injection vulnerability in Trend Micro OfficeScan 11 and XG (12) allows remote attackers to execute arbitr
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
Proxy command injection vulnerability in Trend Micro InterScan Messaging Virtual Appliance 9.0 and 9.1 allows remote att
SnmpUtils in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330
An issue was discovered in Trend Micro InterScan Messaging Security (Virtual Appliance) 9.1-1600. Rated high severity (C
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 before CP 1644 has XSS. Rated medium severity (CV
SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterprise) versions before 9.7 Patch 3 allow remote attac
The HTTP server in Trend Micro Password Manager allows remote web servers to execute arbitrary commands via the url para
An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeScan 11.0 and XG may allow remote unauthenticated u
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authent
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28283