Trend Micro has patched eight vulnerabilities (CVE-2025-49211 to CVE-2025-49218) in its Endpoint Encryption PolicyServer for Windows, with CVSS scores ranging from 7.7 to 9.8. The flaws include SQL injection, insecure deserialization, and authentication bypass issues, which could allow privilege escalation and remote code execution without authentication. While no active exploitation has been reported, users are advised to upgrade to version 6.0.0.4013 and apply Network IPS filters 45072 and 45073 to reduce exposure.
CVE-2025-49211 to CVE-2025-49218 are critical vulnerabilities in Trend Micro’s Endpoint Encryption PolicyServer for Windows, including SQL injection, insecure deserialization, and authentication bypass flaws, with CVSS scores reaching up to 9.8. These issues could allow attackers to escalate privileges or perform remote code execution without authentication. Although no active exploitation has been observed, Trend Micro strongly advises updating to version 6.0.0.4013 and applying IPS filters 45072 and 45073 to mitigate the risks.
SQL Injection Vulnerabilities:
A local SQL injection vulnerability (CWE-89) that enables privilege escalation by executing code with low privileges. This flaw compromises the confidentiality, integrity, and availability of the system.
A post-authentication SQL injection vulnerability that permits escalation of privileges via low-privileged code execution, potentially impacting critical system components.
Like CVE-2025-49215, this is a post-authentication SQL injection issue requiring low-privileged code execution to elevate access rights.
Insecure Deserialization Vulnerabilities:
A pre-authentication insecure deserialization vulnerability (CWE-477) that allows remote code execution as SYSTEM due to the use of obsolete functions.
This pre-authentication flaw also involves insecure deserialization using outdated functions, enabling attackers to execute arbitrary code with SYSTEM-level privileges.
An insecure deserialization vulnerability requiring low-privileged code execution. Successful exploitation allows SYSTEM-level remote code execution.
Another pre-authentication insecure deserialization issue that lets attackers achieve remote code execution by exploiting obsolete function usage.
Authentication Bypass Vulnerability:
An authentication bypass flaw (CWE-477) in the DbAppDomain service that allows unauthenticated attackers to invoke admin-level methods and modify configurations. This significantly increases the risk of system compromise by bypassing standard security controls.
Conclusion:
In summary, the identified vulnerabilities in Trend Micro Endpoint Encryption PolicyServer, including critical SQL injection, insecure deserialization, and authentication bypass flaws, pose significant risks such as privilege escalation and remote code execution. These vulnerabilities have high severity scores, with several exploitable before authentication, increasing the attack surface considerably. To mitigate these risks, it is strongly recommended to update the product to version 6.0.0.4013 and apply the relevant Network IPS filters (45072 and 45073). Prompt patching will help ensure protection against potential exploitation and maintain system integrity.
These vulnerabilities severely impact confidentiality, integrity, and availability by enabling privilege escalation and remote code execution, which could compromise encryption keys and endpoint security. The authentication bypass vulnerability (CVE-2025-49216) undermines critical access controls, allowing unauthorized administrative actions. Additionally, pre-authentication remote code execution flaws expose systems to full compromise without requiring prior access. Together, these issues pose a significant threat to overall system security and stability.
https://success.trendmicro.com/en-US/solution/KA-0019928
