Views:
 
This bulletin is provided as an INFORMTIONAL BULLETIN only – meaning that the issues outlined in this bulletin are historical and are for the purposes of researcher acknowledgement. All issues in this bulletin have already been addressed on Trend Micro’s backend and there is no risk to, and no action required from Trend Micro customers.
 

Previously Impacted Product

ProductVersions Platform Language(s) 
Trend Vision One N/ASaaSEnglish


Vulnerability Details

CVE-2025-31282, CVE-2025-31283, CVE-2025-31284, CVE-2025-31285Broken Access Control Vulnerabilities 
Base CVSSv3: 0.0: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N
Weakness: CWE-269: Improper Privilege Mangement

 

Several broken access control vulnerabilities previously discovered in Trend Vision One could have allowed an administrator to create users who could then change the role of the account and ultimately escalate privileges.

Please note: these issues have already been addressed on the backend service and are no longer considered active vulnerabilities.

 

 

CVE-2025-31286 HTML Injection Vulnerability 
Base CVSSv3: 0.0: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N
Weakness: CWE-269: Improper Privilege Mangement

 

An HTML injection vulnerability previously discovered in Trend Vision One could have allowed a malicious user to execute arbitrary code.

Please note: this issue has already been addressed on the backend service and is no longer considered an active vulnerability.


Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

  • Vaibhav Kumar Srivastava of eSec Forte Technologies Pvt. Ltd
Keywords: CVE-2025-31282 CVE-2025-31283 CVE-2025-31284 CVE-2025-31285 CVE-2025-31286