Affected Version(s)

Solution

Trend Micro has released the following solutions to address the issue:

Note that although some of the vulnerabilities listed below may have technically been addressed in a previous version, Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

Vulnerability Details

CVE-2025-49154:  Insecure Access Control Vulnerability 
CVSSv3.1: 8.7 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Weakness: CWE-284: Improper Access Control

An insecure access control vulnerability in Trend Micro Worry-Free Business Security and Worry-Free Business Security Services could allow a local attacker to overwrite key memory-mapped files which could then have severe consequences for the security and stability of affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2025-49487:  Uncontrolled Search Path Element Arbitrary Code Execution Vulnerability 
ZDI-CAN-23056
CVSSv3.1: 6.8 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness: CWE-427: Uncontrolled Search Path Element

An uncontrolled search path vulnerability in the Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an attacker with physical access to a machine to execute arbitrary code on affected installations.

An attacker must have had physical access to the target system in order to exploit this vulnerability due to need to access a certain hardware component.

Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a previous WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

CVE-2025-53378:  Missing Authentication Vulnerability 
ZDI-CAN-25342
CVSSv3.1: 7.6 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Weakness: CWE-306: Missing Authentication for Critical Function

A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations.

Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

Mitigating Factors

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.

Acknowledgement

Trend Micro would like to thank the following individuals for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

• Alexander Pudwill (CVE-2025-49154)
• Will Dormann working with Trend Micro's Zero Day Initiative (CVE-2025-49487)
• Nicolas Caluori working with Trend Micro's Zero Day Initiative (CVE-2025-53378)

External Reference(s)

• ZDI-CAN-23056
• ZDI-CAN-25342