Affected Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| Trend Micro Endpoint Encryption (TMEE) PolicyServer | Versions before 6.0.0.4013 | Windows | English |
Solution
Trend Micro has released the following solutions to address the issue:
| Product | Updated version | Notes | Platform | Availability |
|---|---|---|---|---|
| Trend Micro Endpoint Encryption (TMEE) PolicyServer |
(Version 6.0.0.4013) | Readme | Windows | Now Available |
These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.
Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.
Vulnerability Details
CVE-2025-49211: SQL Injection Privilege Escalation Vulnerability
ZDI-CAN-25528
CVSSv3.1: 7.7: AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
Weakness: CWE-89: SQL Injection
A SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
CVE-2025-49212: Deserialization of Untrusted Data RCE Vulnerability
ZDI-CAN-25507
CVSSv3.1: 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-477: Use of Obsolete Function
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49220 but is in a different method.
CVE-2025-49213: Deserialization of Untrusted Data RCE Vulnerability
ZDI-CAN-25506
CVSSv3.1: 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-477: Use of Obsolete Function
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49212 but is in a different method.
CVE-2025-49214: Deserialization of Untrusted Data RCE Vulnerability
ZDI-CAN-25518
CVSSv3.1: 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-477: Use of Obsolete Function
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a post-authentication remote code execution on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
CVE-2025-49215: SQL Injection Privilege Escalation Vulnerability
ZDI-CAN-25527
CVSSv3.1: 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-242: Use of Inherently Dangerous Function
A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
CVE-2025-49216: Authentication Bypass Vulnerability
ZDI-CAN-25519
CVSSv3.1: 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-477: Use of Obsolete Function
An authentication bypass vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to access key methods as an admin user and modify product configurations on affected installations.
CVE-2025-49217: Deserialization of Untrusted Data RCE Vulnerability
ZDI-CAN-25505
CVSSv3.1: 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-477: Use of Obsolete Function
An insecure deserialization operation in the Trend Micro Endpoint Encryption PolicyServer could lead to a pre-authentication remote code execution on affected installations. Note that this vulnerability is similar to CVE-2025-49213 but is in a different method.
CVE-2025-49218: SQL Injection Privilege Escalation Vulnerability
ZDI-CAN-25526
CVSSv3.1: 7.7: AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
Weakness: CWE-89: SQL Injection
A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to escalate privileges on affected installations. This is similar to, but not identical to CVE-2025-49215.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability.
Mitigating Factors
Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.
However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.
In addition, due to the seriousness of these issues, Trend Micro also released some Network IPS rules/filters for proactive secondary protection for some of the vulnerabilities:
TippingPoint and Trend Micro Cloud One - Network Security: Filters 45073, 45072
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:
- Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative
External Reference(s)
- ZDI-CAN-25528
- ZDI-CAN-25507
- ZDI-CAN-25506
- ZDI-CAN-25518
- ZDI-CAN-25527
- ZDI-CAN-25519
- ZDI-CAN-25505
- ZDI-CAN-25526