EUVD-2025-28285
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
Analysis
Post-authentication SQL injection vulnerability in Trend Micro Endpoint Encryption PolicyServer that enables authenticated attackers to escalate privileges and achieve full system compromise (confidentiality, integrity, and availability impact). The vulnerability requires an attacker to first obtain low-privileged code execution on the target system before exploiting the SQL injection to escalate to administrative privileges. With a CVSS score of 8.8 and network accessibility, this represents a significant risk to organizations running vulnerable PolicyServer instances, particularly in environments where initial compromise vectors (phishing, lateral movement, supply chain) are plausible.
Technical Context
The vulnerability exists in the Trend Micro Endpoint Encryption PolicyServer's handling of SQL queries, which fails to properly sanitize user-supplied input in post-authentication contexts. This represents a classic SQL injection flaw (CWE-242, also known as CWE-89 Use of Insufficiently Trusted Source in SQL Command) where an authenticated user with low privileges can manipulate SQL logic to bypass authorization controls or extract sensitive data. The PolicyServer component is responsible for centralized policy management and enforcement in enterprise endpoint encryption deployments. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), indicating the attacker does not need to manipulate conditions beyond standard SQL injection techniques. The authentication requirement (PR:L) means this is a privilege escalation vector rather than an unauthenticated remote code execution.
Affected Products
Trend Micro Endpoint Encryption PolicyServer—specific version numbers not provided in the vulnerability description. The CVE should be cross-referenced with Trend Micro security advisories (typically published at https://success.trendmicro.com or https://www.trendmicro.com/security) to identify affected versions (likely covering multiple major versions of Endpoint Encryption suite). Typical CPE patterns would include: cpe:2.3:a:trendmicro:endpoint_encryption_policyserver:*:*:*:*:*:*:*:* (with version constraints to be specified in official advisory). Organizations should consult Trend Micro's official advisory for: (1) exact affected versions; (2) supported versions receiving patches; (3) end-of-life product versions that may not receive patches.
Remediation
Remediation steps (to be confirmed against official Trend Micro advisory): (1) Apply security patch released by Trend Micro for Endpoint Encryption PolicyServer—patch version number TBD pending official advisory; (2) Prioritize patching in environments where PolicyServer is internet-accessible or reachable from potentially compromised systems; (3) Implement network segmentation to restrict access to PolicyServer admin interfaces to trusted administrative networks; (4) Apply principle of least privilege—ensure service accounts and administrative users have minimal necessary permissions; (5) Monitor PolicyServer logs and database audit trails for suspicious SQL patterns or privilege escalation attempts (authentication attempts from unusual accounts, policy modifications); (6) If patch is unavailable, implement WAF/IDS rules to detect SQL injection attempts (common payloads: UNION SELECT, stacked queries, boolean-based blind SQLi patterns); (7) Temporary workaround: restrict PolicyServer network access via firewall rules while patch is being tested/deployed. Contact Trend Micro support at https://success.trendmicro.com for patch availability and deployment timeline.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today